rule.java

sifi-0.1.6.tar.gz 出自http://www.ifi.unizh.ch/ikm/SINUS/firewall/ 一个linux的防火墙工具。

          host.HostAddresses.printAddressesFormatted(ps, indent, m.port, m.prend);
          break;
      }
    }
    else
      ps.println();
  }
  // persistence methods
  /**
   * Write object data to a persistent output stream
   * @param ps Stream
   * @see PersistentOutputStream
   */
  public void write(PersistentOutputStream ps) {
    ps.writeInt("Rule=", templateID);
    ps.writeInt("subID=", subID);
    ps.writeBoolean("active=", active);
    ps.writeBoolean("changed=", changed);
    ps.writeBoolean("warn=", warn);
    ps.writeBoolean("priority=", priority);
    ps.writeInt("validForLength=", validFor.length);
    for (int i=0; i < validFor.length; i++)
      ps.writeBoolean("validFor=", validFor[i]);
    ps.writeString("comment=", comment);
    ps.writeInt("level_num=", level_num);
    ps.writeInt("timeout_type=", timeout_type);
    ps.writeInt("fw_rc=", fw_rc);
    ps.writeInt("fw_src_idx=", fw_src_idx);
    ps.writeInt("fw_src_cnt=", fw_src_cnt);
    ps.writeInt("fw_dst_idx=", fw_dst_idx);
    ps.writeInt("fw_dst_cnt=", fw_dst_cnt);
    ps.writeInt("fw_flags=", fw_flags);
    ps.writeInt("ttl=", ttl);
    ps.writeInt("protocol=", protocol);
    ps.writeInt("fw_rip_idx=", fw_rip_idx);
    ps.writeInt("fw_rip_cnt=", fw_rip_cnt);
  }

  /**
   * Read object data from a persistent input stream
   * @param ps Stream
   * @see PersistentInputStream
   */
  public void read(PersistentInputStream ps) throws java.io.IOException {
    templateID = ps.readInt("Rule=");
    subID = ps.readInt("subID=");
    active = ps.readBoolean("active=");
    changed = ps.readBoolean("changed=");
    warn = ps.readBoolean("warn=");
    priority = ps.readBoolean("priority=");
    int len = ps.readInt("validForLength=");
    validFor = new boolean[len];
    for (int i=0; i < len; i++)
      validFor[i] = ps.readBoolean("validFor=");
    comment = ps.readString("comment=");
    level_num = ps.readInt("level_num=");
    timeout_type = ps.readInt("timeout_type=");
    fw_rc = ps.readInt("fw_rc=");
    fw_src_idx = ps.readInt("fw_src_idx=");
    fw_src_cnt = ps.readInt("fw_src_cnt=");
    fw_dst_idx = ps.readInt("fw_dst_idx=");
    fw_dst_cnt = ps.readInt("fw_dst_cnt=");
    fw_flags = ps.readInt("fw_flags=");
    ttl = ps.readInt("ttl=");
    protocol = ps.readInt("protocol=");
    fw_rip_idx = ps.readInt("fw_rip_idx=");
    fw_rip_cnt = ps.readInt("fw_rip_cnt=");
  }


  // additional rule data for GUI configuration
  protected int templateID = -1;// ID for autoconfigured rules
  protected int subID = 0;	// sub ID for server rules
                                // 1 = level-1-rule
                                // 2 = from-outside-rule
                                // 3 = from-inside-rule
  protected boolean active = true;    // if active==false rule is ignored
  protected boolean changed = false;  // user has manually changed autoconfigured rule
  protected boolean warn = false;     // changed rule has been overwritten
  protected boolean priority = false; // priority rule
  protected boolean validFor[]; // rule is valid for specific firewalls,
                                // index from ManageDomain.Firewalls
  protected String comment = new String(); // comment

  // rule data from sf_global.h
  protected int fw_line;	// line number in config file

  protected int level_num = 0;	// number of notification level

  protected static final int SF_TIMEOUT_VALID          =  0;
  protected static final int SF_RULE_CONNECTION        = -1;
  protected static final int SF_RULE_STATIC            = -2;
  protected static final int SF_RULE_SPOOFING          = -3;
  protected static final int SF_RULE_OVERSIZED         = -4;
  protected int timeout_type = -2;

  protected Date timeout;	// timeout value for dynamic rules

  protected int fw_rc = FW_ACCEPT;		// return code on match
  protected static final int SF_RC_BEST                = 100;  
  protected static final int SF_RC_TREJECT             = 20; /* reject TCP or UDP style */
  protected static final int SF_RC_ECHO                = 21; /* generate ICMP echo request -- ICMP only */
  protected static final int SF_RC_OBSERVE             = 22; /* generate log entry, skip to next rule */
  protected static final int FW_BLOCK                  =  1;
  protected static final int FW_ACCEPT                 =  2;
  protected static final int FW_REJECT                 = -1;
  protected static final int SF_RC_RNET                = -2; /* reject packet with icmp_net_unreachable */
  protected static final int SF_RC_RPROTO              = -3; /* reject packet with icmp_protocol_unreachable */
  protected static final int SF_RC_RPORT               = -4; /* reject packet with icmp_port_unreachable */

  /**
   * Address information<br>
   * positive: index to address array<br>
   * zero:     any addresses<br>
   * -1..-4:   special values for dynamic rules<br>
   * <=-100:   address macro number
   */  
  protected int fw_src_idx;     // index to address array
  protected int fw_src_cnt;
  /**
   * Address information<br>
   * positive: index to address array<br>
   * zero:     any addresses<br>
   * -1..-4:   special values for dynamic rules<br>
   * <=-100:   address macro number
   */  
  protected int fw_dst_idx;
  protected int fw_dst_cnt;
  // idx-values <= -100 are macro numbers (absolute value - 100)
  // idx -100 (macro 0) inside / outside (for server access)   
  // idx -101 (macro 1) == inside
  // idx -102 (macro 2) == outside
  protected static final int SF_SOURCEHOST             = -1;
  protected static final int SF_SOURCENET              = -2;
  protected static final int SF_DESTHOST               = -3;
  protected static final int SF_DESTNET                = -4;
  protected static final int SF_FIRSTMACRO             = -100;
  protected static final int SF_FIRSTMACRO_ABS         = Math.abs(SF_FIRSTMACRO);

  protected int fw_flags;       // flags
  // flags constants see below

  protected int ttl;		// time to live

  protected int protocol;	// protocol
  protected static final int IPPROTO_ICMP = 1;
  protected static final int IPPROTO_IGMP = 2;
  protected static final int IPPROTO_TCP = 6;
  protected static final int IPPROTO_UDP = 17;

  /**
   * Address information<br>
   * positive: index to address array<br>
   * zero:     any addresses<br>
   * -1..-4:   special values for dynamic rules<br>
   * <=-100:   address macro number
   */  
  protected int fw_rip_idx;	// RIP addresses index to address array
  protected int fw_rip_cnt;

  protected int usage;		// usage counter
  protected long bytes;		// byte counter
  protected static final long GIGA = 1024*1024*1024;
  protected static final long MEGA = 1024*1024;
  protected static final long KILO = 1024;

  /*
  *    Values for "flags" field:
  *       bit         meaning
  *        0           log packet (notification_level > 0)
  *        1           check ttl field
  *        2-3         ttl: 00 -> ttl == value
  *                         01 -> ttl < value
  *                         10 -> ttl > value
  *                         11 -> ttl != value
  *        4           1 == match "from" if none of the specified
  *                         addresses match (used for "outside")
  *        5           1 == match "to" if none of the specified
  *                         addresses match (used for "outside")
  *        6           option record_route
  *        7           option timestamp
  *        8           option security
  *        9           option loose_source_route
  *       10           option strict_source_route
  *       11           option sat_id
  *       12-15        protocol: 0000  all protocols
  *                              0001  rip
  *                              1111  current protocol (dynamic rule)
  *       16-31        type (protocol dependent)
  */

  protected static final int SF_FW_LOG            = 0x0001; /* log packet */

  protected static final int SF_FW_CHECK_TTL      = 0x0002; /* check time to live field */
  protected static final int SF_FW_TTL            = 0x000E; /* mask for SF_FW_TTL */
  protected static final int SF_FW_TTL_EQUAL      = 0x0002; /* ttl == value */
  protected static final int SF_FW_TTL_LESS       = 0x0006; /* ttl < value */
  protected static final int SF_FW_TTL_GREATER    = 0x000A; /* ttl > value */
  protected static final int SF_FW_TTL_NOTEQUAL   = 0x000E; /* ttl != value */

  protected static final int SF_FW_SRC_NEG        = 0x0010; /* from condition negated */
  protected static final int SF_FW_DST_NEG        = 0x0020; /* to condition negated */

  protected static final int SF_FW_CHECK_OPT      = 0x0FC0; /* check for options */
  protected static final int SF_FW_OPT_RR         = 0x0040; /* record route */
  protected static final int SF_FW_OPT_TS         = 0x0080; /* time stamp */
  protected static final int SF_FW_OPT_SEC        = 0x0100; /* security */
  protected static final int SF_FW_OPT_LSR        = 0x0200; /* loose source route */
  protected static final int SF_FW_OPT_SSR        = 0x0400; /* strict source route */
  protected static final int SF_FW_OPT_SATID      = 0x0800; /* sat id */

  protected static final int SF_FW_PROT           = 0xF000; /* mask to isolate protocol */
  protected static final int SF_FW_PROT_ALL       = 0x0000; /* matches all protocols */
  protected static final int SF_FW_PROT_RIP       = 0x1000; /* rip */
  protected static final int SF_FW_CHECK_PROTOCOL = 0xE000; /* compare protocol field */
  protected static final int SF_FW_PROT_CURRENT   = 0xF000; /* match current protocol in dynamic rule */

/* definitions for protocol dependent type bits: */
  protected static final int SF_TYPE_MASK           = 0xFFFF0000; /* mask to isolate protcol dependent bits */

  protected static final int SF_FTP_DATA_LOG        = 0x00010000; /* log data connections (TCP and ALL only) */
  protected static final int SF_FTP_NO_ACTIVE       = 0x00020000; /* don't allow FTP active mode */
  protected static final int SF_FTP_NO_PASSIVE      = 0x00040000; /* don't allow FTP passive mode */
  protected static final int SF_CHECK_SEQUENCE      = 0x00080000; /* check sequence numbers */

  protected static final int SF_ICMP_ALLTYPES       = 0x00000000;
  protected static final int SF_ICMP_ECHOREPLY      = 0x00010000; /* Echo Reply                   */
  protected static final int SF_ICMP_DEST_UNREACH   = 0x00020000; /* Destination Unreachable      */
  protected static final int SF_ICMP_SOURCE_QUENCH  = 0x00040000; /* Source Quench                */
  protected static final int SF_ICMP_REDIRECT       = 0x00080000; /* Redirect (change route)      */
  protected static final int SF_ICMP_ECHO           = 0x00100000; /* Echo Request                 */
  protected static final int SF_ICMP_TIME_EXCEEDED  = 0x00200000; /* Time Exceeded                */
  protected static final int SF_ICMP_PARAMETERPROB  = 0x00400000; /* Parameter Problem            */
  protected static final int SF_ICMP_TIMESTAMP      = 0x00800000; /* Timestamp Request            */
  protected static final int SF_ICMP_TIMESTAMPREPLY = 0x01000000; /* Timestamp Reply              */
  protected static final int SF_ICMP_INFO_REQUEST   = 0x02000000; /* Information Request          */
  protected static final int SF_ICMP_INFO_REPLY     = 0x04000000; /* Information Reply            */
  protected static final int SF_ICMP_ADDRESS        = 0x08000000; /* Address Mask Request         */
  protected static final int SF_ICMP_ADDRESSREPLY   = 0x10000000; /* Address Mask Reply           */

  protected static final int SF_IGMP_ALLTYPES               = 0x00000000;
  protected static final int SF_IGMP_HOST_MEMBERSHIP_QUERY  = 0x00010000; /* From RFC1112 */
  protected static final int SF_IGMP_HOST_MEMBERSHIP_REPORT = 0x00020000; /* Ditto */
  protected static final int SF_IGMP_HOST_LEAVE_MESSAGE     = 0x00040000; /* An extra BSD seems to send */

  protected static final int SF_RIP_ADDR_NEG        = 0x00010000; /* match rip-addr if none of the specified */
 				   /* addresses match (used for "outside") */
 
  protected static final int MAX_PROTOCOL = 103;
  protected static final String protocols[] =
  {"Prot. 0",			/*  0  Reserved */
  "ICMP",			/*  1  Internet Control Message */
  "IGMP",			/*  2  Internet Group Management */
  "GGP",			/*  3  Gateway-to-Gateway */
  "IP encap.",			/*  4  IP in IP (encapsulation) */
  "ST",				/*  5  Stream */
  "TCP",			/*  6  Transmission Control */
  "CBT",			/*  7  CBT */
  "EGP",			/*  8  Exterior Gateway Protocol */
  "IGP",			/*  9  Any private interior gateway */
  "BBN-RCC-MON",		/* 10  BBN-RCC-MON BBN RCC Monitoring */
  "NVP-II",			/* 11  Network Voice Protocol */
  "PUP",			/* 12  PUP */
  "ARGUS",			/* 13  ARGUS */
  "EMCON",			/* 14  EMCON */
  "XNET",			/* 15  Cross Net Debugger */
  "CHAOS",			/* 16  Chaos */
  "UDP",			/* 17  User Datagram */
  "MUX",			/* 18  Multiplexing */
  "DCN-MEAS",			/* 19  Measurement Subsystems */
  "HMP",			/* 20  Host Monitoring */
  "PRM",			/* 21  Packet Radio Measurement */
  "XNS-IDP",			/* 22  XEROX NS IDP */
  "TRUNK-1",			/* 23  Trunk-1 */
  "TRUNK-2",			/* 24  Trunk-2 */
  "LEAF-1",			/* 25  Leaf-1 */
  "LEAF-2",			/* 26  Leaf-2 */
  "RDP",			/* 27  Reliable Data Protocol */
  "IRTP",			/* 28  Internet Reliable Transaction */
  "ISO-TP4",			/* 29  ISO Transport Protocol Class 4 */
  "NETBLT",			/* 30  Bulk Data Transfer Protocol */
  "MFE-NSP",			/* 31  MFE Network Services Protocol */
  "MERIT-INP",			/* 32  MERIT Internodal Protocol */
  "SEP",			/* 33  Sequential Exchange Protocol */
  "3PC",			/* 34  Third Party Connect Protocol */
  "IDPR",			/* 35  Inter-Domain Policy Routing Protocol */
  "XTP",			/* 36  XTP */
  "DDP",			/* 37  Datagram Delivery Protocol */
  "IDPR-CMTP",			/* 38  IDPR Control Message Transport Proto */
  "TP++",			/* 39  TP++ Transport Protocol */
  "IL",				/* 40  IL Transport Protocol */
  "IPv6",			/* 41  IPv6 */
  "SDRP",			/* 42  Source Demand Routing Protocol */
  "IPv6-Route",			/* 43  Routing Header for IPv6 */
  "IPv6-Frag",			/* 44  Fragment Header for IPv6 */
  "IDRP",			/* 45  Inter-Domain Routing Protocol */
  "RSVP",			/* 46  Reservation Protocol */
  "GRE",			/* 47  General Routing Encapsulation */
  "MHRP",			/* 48  Mobile Host Routing Protocol */
  "BNA",			/* 49  BNA */
  "ESP",			/* 50  Encap Security Payload for IPv6 */
  "AH",				/* 51  Authentication Header for IPv6 */
  "I-NLSP",			/* 52  Integrated Net Layer Security */
  "SWIPE",			/* 53  IP with Encryption */
  "NARP",			/* 54  NBMA Next Hop Resolution Protocol */
  "MOBILE",			/* 55  IP Mobility */
  "TLSP",			/* 56  Transport Layer Security Protocol */
  "SKIP",			/* 57  SKIP */
  "IPv6-ICMP",			/* 58  ICMP for IPv6 */
  "IPv6-NoNxt",			/* 59  No Next Header for IPv6 */
  "IPv6-Opts",			/* 60  Destination Options for IPv6 */
  "Prot. 61",			/* 61  Any host internal protocol */
  "CFTP",			/* 62  CFTP */
  "Prot. 63",			/* 63  Any local network */
  "SAT-EXPAK",			/* 64  SATNET and Backroom EXPAK */
  "KRYPTOLAN",			/* 65  Kryptolan */
  "RVD",			/* 66  MIT Remote Virtual Disk Protocol */
  "IPPC",			/* 67  Internet Pluribus Packet Core */
  "Prot. 68",			/* 68  Any distributed file system */
  "SAT-MON",			/* 69  SATNET Monitoring */
  "VISA",			/* 70  VISA Protocol */
  "IPCV",			/* 71  Internet Packet Core Utility */
  "CPNX",			/* 72  Computer Protocol Network Executive */
  "CPHB",			/* 73  Computer Protocol Heart Beat */
  "WSN",			/* 74  Wang Span Network */
  "PVP",			/* 75  Packet Video Protocol */
  "BR-SAT-MON",			/* 76  Backroom SATNET Monitoring */
  "SUN-ND",			/* 77  SUN ND PROTOCOL-Temporary */
  "WB-MON",			/* 78  WIDEBAND Monitoring */
  "WB-EXPAK",			/* 79  WIDEBAND EXPAK */
  "ISO-IP",			/* 80  ISO Internet Protocol */
  "VMTP",			/* 81  VMTP */
  "SECURE-VMTP",		/* 82  SECURE-VMTP */
  "VINES",			/* 83  VINES */
  "TTP",			/* 84  TTP */
  "NSFNET-IGP",			/* 85  NSFNET-IGP */
  "DGP",			/* 86  Dissimilar Gateway Protocol */
  "TCF",			/* 87  TCF */
  "EIGRP",			/* 88  EIGRP */
  "OSPFIGP",			/* 89  OSPFIGP */
  "Sprite-RPC",			/* 90  Sprite RPC Protocol */
  "LARP",			/* 91  Locus Address Resolution Protocol */
  "MTP",			/* 92  Multicast Transport Protocol */
  "AX.25",			/* 93  AX.25 Frames */
  "IPIP encap.",		/* 94  IP-within-IP Encapsulation Protocol */
  "MICP",			/* 95  Mobile Internetworking Control Pro. */
  "SCC-SP",			/* 96  Semaphore Communications Sec. Pro. */
  "ETHERIP",			/* 97  Ethernet-within-IP Encapsulation */
  "ENCAP",			/* 98  Encapsulation Header */
  "Prot. 99",			/* 99  Any private encryption scheme */
  "GMTP",			/* 100 GMTP */
  "IFMP",			/* 101 Ipsilon Flow Management Protocol */
  "PNNI",			/* 102 PNNI over IP */
  "PIM",			/* 103 Protocol Independent Multicast */
  "Prot. "			/* Template for 104-255 */
  };

  /* ICMP Types */
  protected static final String icmptype[] =