finally got around to making the rules prettier (any instead of 0.0.0.0/0)

Author: Mike Moss

.gitignore

@@ -6,6 +6,8 @@ bin/wofgen_netsh
 bin/wofgen_netsh.exe
 bin/wofgen_pf
 bin/wofgen_pf.exe
+bin/wofgen_ipf
+bin/wofgen_ipf.exe
 bin/wofgen_ufw
 bin/wofgen_ufw.exe
 bin/wofgen_wipfw

bin/Makefile

@@ -5,7 +5,7 @@ SRC=../src
 
 WOFGEN_SRC=$(SRC)/main.cpp $(SRC)/parser.cpp $(SRC)/parser_util.cpp $(SRC)/string_util.cpp
 
-all: wofgen_ipfw wofgen_iptables wofgen_netsh wofgen_pf wofgen_ufw wofgen_wipfw
+all: wofgen_ipfw wofgen_iptables wofgen_netsh wofgen_pf wofgen_ipf wofgen_ufw wofgen_wipfw
 
 wofgen_ipfw: $(WOFGEN_SRC) $(SRC)/ipfw.cpp
 	$(CXX) $(CFLAGS) $^ -o $@ -D WOFGEN_IPFW
@@ -19,6 +19,9 @@ wofgen_netsh: $(WOFGEN_SRC) $(SRC)/netsh.cpp
 wofgen_pf: $(WOFGEN_SRC) $(SRC)/pf.cpp
 	$(CXX) $(CFLAGS) $^ -o $@ -D WOFGEN_PF
 
+wofgen_ipf: $(WOFGEN_SRC) $(SRC)/ipf.cpp
+	$(CXX) $(CFLAGS) $^ -o $@ -D WOFGEN_IPF
+
 wofgen_ufw: $(WOFGEN_SRC) $(SRC)/ufw.cpp
 	$(CXX) $(CFLAGS) $^ -o $@ -D WOFGEN_UFW
 
@@ -30,5 +33,6 @@ clean:
 	- rm -f wofgen_iptables wofgen_iptables.exe
 	- rm -f wofgen_netsh wofgen_netsh.exe
 	- rm -f wofgen_pf wofgen_pf.exe
+	- rm -f wofgen_ipf wofgen_ipf.exe
 	- rm -f wofgen_ufw wofgen_ufw.exe
 	- rm -f wofgen_wipfw wofgen_wipfw.exe

src/ipf.cpp

@@ -0,0 +1,71 @@
+#include "parser.hpp"
+#include <string>
+
+std::string pre_rules(std::string def_out,std::string def_in)
+{
+	if(def_out=="deny")
+		def_out="block";
+	else
+		def_out="pass ";
+	if(def_in=="deny")
+		def_in="block";
+	else
+		def_in="pass ";
+	std::string pre;
+	pre+="#Usually goes in: /etc/ipf/ipf.conf\n";
+	pre+="#You may need to enable the firewall service: svcadm enable ipfilter\n";
+	pre+=def_out+" out log all\n";
+	pre+=def_in+" in  log all\n";
+	return pre;
+}
+
+std::string post_rules(std::string def_out,std::string def_in)
+{
+	return "";
+}
+
+std::string gen_rule(wof_t wof)
+{
+	if(wof_is_any_ip(wof.l_ip,wof.l_mask,wof.V6))
+		wof.l_ip="any";
+	if(wof_is_any_ip(wof.f_ip,wof.f_mask,wof.V6))
+		wof.f_ip="any";
+	if(wof.l_mask!="0"&&!wof_is_exact_ip(wof.l_mask,wof.V6))
+		wof.l_ip+="/"+wof.l_mask;
+	if(wof.f_mask!="0"&&!wof_is_exact_ip(wof.f_mask,wof.V6))
+		wof.f_ip+="/"+wof.f_mask;
+
+	std::string rule;
+	if(wof.action=="deny")
+		rule+="block";
+	else
+		rule+="pass ";
+	std::string dir_str=" out";
+	if(wof.dir=="<")
+	{
+		dir_str=" in ";
+		std::swap(wof.l_ip,wof.f_ip);
+		std::swap(wof.l_mask,wof.f_mask);
+		std::swap(wof.l_port,wof.f_port);
+	}
+	rule+=dir_str;
+	rule+=" log quick ";
+	rule+="proto "+wof.proto;
+
+	if(wof.l_ip!="any"||wof.l_port!="0")
+		rule+=" from";
+	if(wof.l_ip!="any")
+		rule+=" "+wof.l_ip;
+	if(wof.l_port!="0")
+		rule+=" port="+wof.l_port;
+
+	if(wof.f_ip!="any"||wof.f_port!="0")
+		rule+=" to";
+	if(wof.f_ip!="any")
+		rule+=" "+wof.f_ip;
+	if(wof.f_port!="0")
+		rule+=" port="+wof.f_port;
+	rule+=" keep state";
+
+	return rule;
+}

src/ipfw.cpp

@@ -25,6 +25,15 @@ std::string post_rules(std::string def_out,std::string def_in)
 
 std::string gen_rule(wof_t wof)
 {
+	if(wof_is_any_ip(wof.l_ip,wof.l_mask,wof.V6))
+		wof.l_ip="any";
+	if(wof_is_any_ip(wof.f_ip,wof.f_mask,wof.V6))
+		wof.f_ip="any";
+	if(wof.l_mask!="0"&&!wof_is_exact_ip(wof.l_mask,wof.V6))
+		wof.l_ip+="/"+wof.l_mask;
+	if(wof.f_mask!="0"&&!wof_is_exact_ip(wof.f_mask,wof.V6))
+		wof.f_ip+="/"+wof.f_mask;
+
 	std::string rule;
 	rule+="ipfw -q add ";
 	if(wof.action=="deny")
@@ -41,10 +50,10 @@ std::string gen_rule(wof_t wof)
 		std::swap(wof.l_port,wof.f_port);
 	}
 	rule+=wof.proto;
-	rule+=" from "+wof.l_ip+"/"+wof.l_mask;
+	rule+=" from "+wof.l_ip;
 	if(wof.l_port!="0")
 		rule+=" "+wof.l_port;
-	rule+=" to "+wof.f_ip+"/"+wof.f_mask;
+	rule+=" to "+wof.f_ip;
 	if(wof.f_port!="0")
 		rule+=" "+wof.f_port;
 	rule+=dir_str;

src/iptables.cpp

@@ -65,12 +65,21 @@ std::string post_rules(std::string def_out,std::string def_in)
 
 std::string gen_rule(wof_t wof)
 {
-	std::string rule;
+	if(wof_is_any_ip(wof.l_ip,wof.l_mask,wof.V6))
+		wof.l_ip="any";
+	if(wof_is_any_ip(wof.f_ip,wof.f_mask,wof.V6))
+		wof.f_ip="any";
+	if(wof.l_mask!="0"&&!wof_is_exact_ip(wof.l_mask,wof.V6))
+		wof.l_ip+="/"+wof.l_mask;
+	if(wof.f_mask!="0"&&!wof_is_exact_ip(wof.f_mask,wof.V6))
+		wof.f_ip+="/"+wof.f_mask;
+
+		std::string rule;
 	if(wof.V6)
 		rule+="ip6tables";
 	else
 		rule+="iptables";
-	rule+=" --append ";
+	rule+=" -A ";
 	std::string dir_str="OUTPUT";
 	std::string l_letter="s";
 	std::string f_letter="d";
@@ -81,17 +90,21 @@ std::string gen_rule(wof_t wof)
 	}
 	rule+=dir_str;
 	rule+=" -p "+wof.proto;
-	rule+=" -" +l_letter+" "    +wof.l_ip+"/"+wof.l_mask;
 
+	if(wof.l_ip!="any")
+		rule+=" -" +l_letter+" "    +wof.l_ip;
 	if(wof.l_port!="0")
 		rule+=" --"+l_letter+"port "+wof.l_port;
-	rule+=" -" +f_letter+" "    +wof.f_ip+"/"+wof.f_mask;
+	if(wof.f_ip!="any")
+		rule+=" -" +f_letter+" "    +wof.f_ip;
 	if(wof.f_port!="0")
 		rule+=" --"+f_letter+"port "+wof.f_port;
-	rule+=" --jump ";
+	rule+=" -j ";
+
 	if(wof.action=="deny")
 		rule+="DROP";
 	else
 		rule+="ACCEPT";
+
 	return rule;
 }

src/netsh.cpp

@@ -38,6 +38,15 @@ std::string post_rules(std::string def_out,std::string def_in)
 
 std::string gen_rule(wof_t wof)
 {
+	if(wof_is_any_ip(wof.l_ip,wof.l_mask,wof.V6))
+		wof.l_ip="any";
+	if(wof_is_any_ip(wof.f_ip,wof.f_mask,wof.V6))
+		wof.f_ip="any";
+	if(wof.l_mask!="0"&&!wof_is_exact_ip(wof.l_mask,wof.V6))
+		wof.l_ip+="/"+wof.l_mask;
+	if(wof.f_mask!="0"&&!wof_is_exact_ip(wof.f_mask,wof.V6))
+		wof.f_ip+="/"+wof.f_mask;
+
 	std::string rule;
 	rule+="netsh advfirewall firewall add rule profile=any ";
 	rule+="name=\""+to_string(rule_num++)+"\"";
@@ -50,16 +59,10 @@ std::string gen_rule(wof_t wof)
 	else
 		rule+=" action=allow";
 	rule+=" protocol="+wof.proto;
-	rule+=" localip=";
-	if(wof.l_mask!="0")
-		rule+=wof.l_ip+"/"+wof.l_mask;
-	else
-		rule+="any";
-	rule+=" remoteip=";
-	if(wof.f_mask!="0")
-		rule+=wof.f_ip+"/"+wof.f_mask;
-	else
-		rule+="any";
+	if(wof.l_ip!="any")
+		rule+=" localip="+wof.l_ip;
+	if(wof.f_ip!="any")
+		rule+=" remoteip="+wof.f_ip;
 	if(wof.l_port!="0")
 		rule+=" localport="+wof.l_port;
 	if(wof.f_port!="0")

src/parser.cpp

@@ -73,4 +73,14 @@ void wof_parse_line(std::string line,std::string& output,
 		if(line.size()>0)
 			throw std::runtime_error("Unknown string \""+line+"\".");
 	}
+}
+
+bool wof_is_any_ip(const std::string& ip,const std::string& mask,const bool V6)
+{
+	return (mask=="0"||(!V6&&ip=="0.0.0.0")||(V6&&ip=="::"));
+}
+
+bool wof_is_exact_ip(const std::string& mask,const bool V6)
+{
+	return ((!V6&&mask=="32")||(V6&&mask=="128"));
 }

src/parser.hpp

@@ -20,4 +20,8 @@ struct wof_t
 void wof_parse_line(std::string line,std::string& output,
 	std::string& def_out,std::string& def_in);
 
+bool wof_is_any_ip(const std::string& ip,const std::string& mask,const bool V6);
+
+bool wof_is_exact_ip(const std::string& mask,const bool V6);
+
 #endif

src/pf.cpp

@@ -25,6 +25,15 @@ std::string post_rules(std::string def_out,std::string def_in)
 
 std::string gen_rule(wof_t wof)
 {
+	if(wof_is_any_ip(wof.l_ip,wof.l_mask,wof.V6))
+		wof.l_ip="any";
+	if(wof_is_any_ip(wof.f_ip,wof.f_mask,wof.V6))
+		wof.f_ip="any";
+	if(wof.l_mask!="0"&&!wof_is_exact_ip(wof.l_mask,wof.V6))
+		wof.l_ip+="/"+wof.l_mask;
+	if(wof.f_mask!="0"&&!wof_is_exact_ip(wof.f_mask,wof.V6))
+		wof.f_ip+="/"+wof.f_mask;
+
 	std::string rule;
 	if(wof.action=="deny")
 		rule+="block";
@@ -45,10 +54,10 @@ std::string gen_rule(wof_t wof)
 	else
 		rule+="inet  ";
 	rule+="proto "+wof.proto;
-	rule+=" from "+wof.l_ip+"/"+wof.l_mask;
+	rule+=" from "+wof.l_ip;
 	if(wof.l_port!="0")
 		rule+=" port "+wof.l_port;
-	rule+=" to "+wof.f_ip+"/"+wof.f_mask;
+	rule+=" to "+wof.f_ip;
 	if(wof.f_port!="0")
 		rule+=" port "+wof.f_port;
 

src/ufw.cpp

@@ -23,12 +23,22 @@ std::string post_rules(std::string def_out,std::string def_in)
 
 std::string gen_rule(wof_t wof)
 {
+	if(wof_is_any_ip(wof.l_ip,wof.l_mask,wof.V6))
+		wof.l_ip="any";
+	if(wof_is_any_ip(wof.f_ip,wof.f_mask,wof.V6))
+		wof.f_ip="any";
+	if(wof.l_mask!="0"&&!wof_is_exact_ip(wof.l_mask,wof.V6))
+		wof.l_ip+="/"+wof.l_mask;
+	if(wof.f_mask!="0"&&!wof_is_exact_ip(wof.f_mask,wof.V6))
+		wof.f_ip+="/"+wof.f_mask;
+
 	std::string rule;
 	rule+="ufw ";
 	if(wof.action=="deny")
 		rule+="deny";
 	else
 		rule+="allow";
+
 	std::string dir_str=" out";
 	if(wof.dir=="<")
 	{
@@ -37,12 +47,13 @@ std::string gen_rule(wof_t wof)
 		std::swap(wof.l_mask,wof.f_mask);
 		std::swap(wof.l_port,wof.f_port);
 	}
+
 	rule+=dir_str;
 	rule+=" proto "+wof.proto;
-	rule+=" from "+wof.l_ip+"/"+wof.l_mask;
+	rule+=" from "+wof.l_ip;
 	if(wof.l_port!="0")
 		rule+=" port "+wof.l_port;
-	rule+=" to "+wof.f_ip+"/"+wof.f_mask;
+	rule+=" to "+wof.f_ip;
 	if(wof.f_port!="0")
 		rule+=" port "+wof.f_port;
 

src/wipfw.cpp

@@ -21,6 +21,15 @@ std::string post_rules(std::string def_out,std::string def_in)
 
 std::string gen_rule(wof_t wof)
 {
+	if(wof_is_any_ip(wof.l_ip,wof.l_mask,wof.V6))
+		wof.l_ip="any";
+	if(wof_is_any_ip(wof.f_ip,wof.f_mask,wof.V6))
+		wof.f_ip="any";
+	if(wof.l_mask!="0"&&!wof_is_exact_ip(wof.l_mask,wof.V6))
+		wof.l_ip+="/"+wof.l_mask;
+	if(wof.f_mask!="0"&&!wof_is_exact_ip(wof.f_mask,wof.V6))
+		wof.f_ip+="/"+wof.f_mask;
+
 	std::string rule;
 	rule+="-q add ";
 	if(wof.action=="deny")
@@ -37,14 +46,14 @@ std::string gen_rule(wof_t wof)
 		std::swap(wof.l_port,wof.f_port);
 	}
 	rule+=wof.proto;
-	rule+=" from "+wof.l_ip+"/"+wof.l_mask;
+	rule+=" from "+wof.l_ip;
 	if(wof.l_port!="0")
 		rule+=" "+wof.l_port;
-	rule+=" to "+wof.f_ip+"/"+wof.f_mask;
+	rule+=" to "+wof.f_ip;
 	if(wof.f_port!="0")
 		rule+=" "+wof.f_port;
 	rule+=dir_str;
 	rule+=" keep-state";
 
 	return rule;
-}
+}