onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 02:07:23 +01:00
Code Issues Releases Wiki Activity

checking for unsupported UserService objects in compilers for ipf, iosacl and pix

Browse Source
This commit is contained in:
Vadim Kurland 2008-06-07 03:44:57 +00:00
parent 47a435f7d3
commit 07be919f07
5 changed files with 85 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/iosacl/PolicyCompiler_iosacl.cpp
View File

@ -337,6 +337,8 @@ void PolicyCompiler_iosacl::compile()
add( new pickACL( true, "assign ACLs" ) );
add( new SpecialServices( "check for special services" ) );
add( new CheckForUnsupportedUserService("check for user service") );
add( new checkForZeroAddr( "check for zero addresses" ) );
add( new checkForDynamicInterface("check for dynamic interfaces" ) );

144
src/pflib/PolicyCompiler_ipf.cpp
View File

@ -404,30 +404,35 @@ void PolicyCompiler_ipf::compile()
if ( fw->getOptionsObject()->getBool ("check_shading") )
{
add( new Begin ("Detecting rule shadowing" ) );
add( new printTotalNumberOfRules ( ) );
add( new Begin ("Detecting rule shadowing" ) );
add( new printTotalNumberOfRules( ) );
add( new ItfNegation( "process negation in Itf" ) );
add( new InterfacePolicyRules("process interface policy rules and store interface ids") );
add( new ItfNegation("process negation in Itf" ) );
add( new InterfacePolicyRules(
"process interface policy rules and store interface ids"));
add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ) );
add( new recursiveGroupsInDst( "check for recursive groups in DST" ) );
add( new recursiveGroupsInSrv( "check for recursive groups in SRV" ) );
add( new recursiveGroupsInSrc("check for recursive groups in SRC"));
add( new recursiveGroupsInDst("check for recursive groups in DST"));
add( new recursiveGroupsInSrv("check for recursive groups in SRV"));
check_for_recursive_groups=false;
add( new ExpandGroups ("expand groups" ) );
add( new eliminateDuplicatesInSRC ("eliminate duplicates in SRC" ) );
add( new eliminateDuplicatesInDST ("eliminate duplicates in DST" ) );
add( new eliminateDuplicatesInSRV ("eliminate duplicates in SRV" ) );
add( new ExpandGroups("expand groups") );
add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC") );
add( new eliminateDuplicatesInDST("eliminate duplicates in DST") );
add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV") );
add( new swapMultiAddressObjectsInSrc(" swap MultiAddress -> MultiAddressRunTime in Src") );
add( new swapMultiAddressObjectsInDst(" swap MultiAddress -> MultiAddressRunTime in Dst") );
add( new swapMultiAddressObjectsInSrc(
" swap MultiAddress -> MultiAddressRunTime in Src") );
add( new swapMultiAddressObjectsInDst(
" swap MultiAddress -> MultiAddressRunTime in Dst") );
add( new ExpandMultipleAddressesInSRC("expand objects with multiple addresses in SRC" ) );
add( new ExpandMultipleAddressesInDST("expand objects with multiple addresses in DST" ) );
add( new ConvertToAtomic ("convert to atomic rules" ) );
add( new DetectShadowing ("Detect shadowing" ) );
add( new simplePrintProgress ( ) );
add( new ExpandMultipleAddressesInSRC(
"expand objects with multiple addresses in SRC" ) );
add( new ExpandMultipleAddressesInDST(
"expand objects with multiple addresses in DST" ) );
add( new ConvertToAtomic("convert to atomic rules" ) );
add( new DetectShadowing("Detect shadowing" ) );
add( new simplePrintProgress() );
runRuleProcessors();
deleteRuleProcessors();
@ -437,76 +442,87 @@ void PolicyCompiler_ipf::compile()
add( new Begin());
add( new printTotalNumberOfRules() );
// add( new MACFiltering( "verify for MAC address filtering" ) );
add( new setQuickFlag( "set 'quick' flag" ) );
add( new setQuickFlag("set 'quick' flag") );
if (check_for_recursive_groups)
{
add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ) );
add( new recursiveGroupsInDst( "check for recursive groups in DST" ) );
add( new recursiveGroupsInSrv( "check for recursive groups in SRV" ) );
add( new recursiveGroupsInSrc("check for recursive groups in SRC"));
add( new recursiveGroupsInDst("check for recursive groups in DST"));
add( new recursiveGroupsInSrv("check for recursive groups in SRV"));
}
add( new emptyGroupsInSrc( "check for empty groups in SRC" ) );
add( new emptyGroupsInDst( "check for empty groups in DST" ) );
add( new emptyGroupsInSrv( "check for empty groups in SRV" ) );
add( new emptyGroupsInSrc("check for empty groups in SRC") );
add( new emptyGroupsInDst("check for empty groups in DST") );
add( new emptyGroupsInSrv("check for empty groups in SRV") );
add( new ItfNegation( "process negation in Itf" ) );
add( new InterfacePolicyRules("process interface policy rules and store interface ids") );
add( new ItfNegation("process negation in Itf" ) );
add( new InterfacePolicyRules(
"process interface policy rules and store interface ids") );
add( new doSrcNegation( "process negation in Src" ) );
add( new doDstNegation( "process negation in Dst" ) );
add( new doSrvNegation( "process negation in Srv" ) );
add( new ExpandGroups( "expand groups" ) );
add( new doSrcNegation("process negation in Src") );
add( new doDstNegation("process negation in Dst") );
add( new doSrvNegation("process negation in Srv") );
add( new ExpandGroups( "expand groups") );
add( new CheckForTCPEstablished("check for TCPService objects with flag \"established\"") );
add( new CheckForTCPEstablished(
"check for TCPService objects with flag \"established\"") );
add( new CheckForUnsupportedUserService("check for user service") );
add( new eliminateDuplicatesInSRC( "eliminate duplicates in SRC" ) );
add( new eliminateDuplicatesInDST( "eliminate duplicates in DST" ) );
add( new eliminateDuplicatesInSRV( "eliminate duplicates in SRV" ) );
add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC") );
add( new eliminateDuplicatesInDST("eliminate duplicates in DST") );
add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV") );
add( new swapMultiAddressObjectsInSrc(" swap MultiAddress -> MultiAddressRunTime in Src") );
add( new swapMultiAddressObjectsInDst(" swap MultiAddress -> MultiAddressRunTime in Dst") );
add( new swapMultiAddressObjectsInSrc(
" swap MultiAddress -> MultiAddressRunTime in Src") );
add( new swapMultiAddressObjectsInDst(
" swap MultiAddress -> MultiAddressRunTime in Dst") );
add( new processMultiAddressObjectsInSrc("process MultiAddress objects in Src") );
add( new processMultiAddressObjectsInDst("process MultiAddress objects in Dst") );
add( new processMultiAddressObjectsInSrc(
"process MultiAddress objects in Src") );
add( new processMultiAddressObjectsInDst(
"process MultiAddress objects in Dst") );
add( new splitIfFirewallInSrc( "split rule if firewall is in Src" ) );
add( new splitIfFirewallInDst( "split rule if firewall is in Dst" ) );
add( new fillDirection( "determine directions" ) );
add( new SplitDirection( "split rules with direction 'both'" ) );
add( new ExpandMultipleAddresses( "expand objects with multiple addresses" ) );
add( new checkForDynamicInterfacesOfOtherObjects( "check for dynamic interfaces of other hosts and firewalls" ) );
add( new MACFiltering( "verify for MAC address filtering" ) );
add( new checkForUnnumbered( "check for unnumbered interfaces" ) );
add( new specialCaseWithDynInterface( "check for a special cases with dynamic interface") );
add( new addressRanges( "expand address range objects" ) );
add( new splitServices( "split rules with different protocols" ) );
add( new separateTCPWithFlags( "separate TCP services with flags" ) );
add( new splitIfFirewallInSrc("split rule if firewall is in Src") );
add( new splitIfFirewallInDst("split rule if firewall is in Dst") );
add( new fillDirection("determine directions") );
add( new SplitDirection("split rules with direction 'both'" ) );
add( new ExpandMultipleAddresses(
"expand objects with multiple addresses") );
add( new checkForDynamicInterfacesOfOtherObjects(
"check for dynamic interfaces of other hosts and firewalls" ));
add( new MACFiltering("verify for MAC address filtering" ) );
add( new checkForUnnumbered("check for unnumbered interfaces") );
add( new specialCaseWithDynInterface(
"check for a special cases with dynamic interface") );
add( new addressRanges("expand address range objects") );
add( new splitServices("split rules with different protocols") );
add( new separateTCPWithFlags("separate TCP services with flags" ) );
add( new separateSrcPort("split on TCP and UDP with source ports"));
add( new verifyCustomServices( "verify custom services for this platform" ) );
add( new SpecialServices( "check for special services" ) );
add( new expandAnyService( "expand ANY service for stateful rules" ) );
add( new verifyCustomServices(
"verify custom services for this platform") );
add( new SpecialServices("check for special services" ) );
add( new expandAnyService("expand ANY service for stateful rules") );
/*
* it may make sense to do optimization even before we expand groups
* (before ExpandGroups). Need to test this idea.
*/
if ( fw->getOptionsObject()->getBool ("optimize") )
{
add( new optimizeSrc( "optimization in SRC" ) );
add( new optimizeDst( "optimization in DST" ) );
add( new optimizeSrv( "optimization in SRV" ) );
add( new optimizeSrc("optimization in SRC") );
add( new optimizeDst("optimization in DST") );
add( new optimizeSrv("optimization in SRV") );
}
add( new ConvertToAtomic( "convert to atomic rules" ) );
add( new checkForZeroAddr( "check for zero addresses" ) );
add( new ConvertToAtomic("convert to atomic rules") );
add( new checkForZeroAddr("check for zero addresses" ) );
if ( fw->getOptionsObject()->getBool ("eliminate_duplicates") )
add( new eliminateDuplicateRules( "eliminate duplicate rules" ) );
add( new eliminateDuplicateRules("eliminate duplicate rules" ) );
add( new calculateSkip( "calculate argument for skip" ) );
add( new checkForKeepState( "check for 'keep state'" ) );
add( new convertInterfaceIdToStr( "prepare interface assignments" ) );
add( new PrintRule( "generate ipf code" ) );
add( new calculateSkip("calculate argument for skip") );
add( new checkForKeepState("check for 'keep state'") );
add( new convertInterfaceIdToStr("prepare interface assignments") );
add( new PrintRule("generate ipf code") );
add( new simplePrintProgress() );
runRuleProcessors();

1
src/pix/PolicyCompiler_pix.cpp
View File

@ -761,6 +761,7 @@ void PolicyCompiler_pix::compile()
add( new pickACL_v6( "assign ACLs for v6" ));
add( new SpecialServices( "check for special services" ));
add( new CheckForUnsupportedUserService("check for user service") );
add( new checkForZeroAddr( "check for zero addresses" ));
add( new checkVersionAndDynamicInterface(
"check for dynamic interfaces in policy rule and verify version of PIX OS"));

2
test/iosacl/run.all
View File

@ -9,7 +9,7 @@ while (<>) {
$str=~ /<Firewall [^>]+name="([^"]*).*$"/;
$fw=$1;
printf "echo ====================== $fw =========================================\n";
printf "fwb_iosacl -v -f $XMLFILE $fw\n";
printf "fwb_iosacl -v -f $XMLFILE $fw\n";
$str=~ s/^.*<Firewall [^>]+name="$fw"[^>]+>//;
}
}

2
test/ipf/run.all
View File

@ -10,7 +10,7 @@ while (<>) {
$fw=$1;
printf "\n";
printf "echo '******* $fw'\n";
printf "fwb_ipf -v -f $XMLFILE $fw\n";
printf "fwb_ipf -v -f $XMLFILE -xt $fw\n";
$str=~ s/^.*<Firewall [^>]+name="$fw"[^>]+>//;
}
}