From 0d69945d2feda863b6c0c20478f7e3f94046ea6f Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netcitadel.com>
Date: Thu, 7 Jul 2011 18:04:24 -0700
Subject: [PATCH] see #2546 "PF import - negation inside of inline tables is
 ignored". Since we can not import address lists or tables that contain a mix
 of negated and non-negated items, importer should display an error when it
 enounters one of these and mark all rules that use it as "broken" (rule is
 colored red and error message is added to the comment).

---
 doc/ChangeLog                                 |   7 +
 src/import/Importer.cpp                       |  15 ++
 src/import/Importer.h                         |  11 ++
 src/import/PFImporter.cpp                     |  32 +++--
 .../PFImporterTest/test_data/pf-tables.conf   |   6 +
 .../PFImporterTest/test_data/pf-tables.fwb    | 132 +++++++++++-------
 .../PFImporterTest/test_data/pf-tables.output |   7 +-
 7 files changed, 148 insertions(+), 62 deletions(-)

diff --git a/doc/ChangeLog b/doc/ChangeLog
index b5fd9e7a5..22a0711b2 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,12 @@
 2011-07-07  Vadim Kurland  <vadim@netcitadel.com>
 
+	* PFImporter.cpp (makeAddressObj): see #2546 "PF import - negation
+	inside of inline tables is ignored". Since we can not import
+	address lists or tables that contain a mix of negated and
+	non-negated items, importer should display an error when it
+	enounters one of these and mark all rules that use it as "broken"
+	(rule is colored red and error message is added to the comment).
+
 	* PFImporter.cpp (makeAddressObj): see #2556 "PF import: impor of
 	rules referring to undefined macros". If pf.conf file uses an
 	undefined macro (there is $macro somewhere but the macro has never
diff --git a/src/import/Importer.cpp b/src/import/Importer.cpp
index 263ce2bb4..d55990ca0 100644
--- a/src/import/Importer.cpp
+++ b/src/import/Importer.cpp
@@ -1016,3 +1016,18 @@ void Importer::rearrangeVlanInterfaces()
 
 }
 
+void Importer::registerBrokenObject(FWObject *obj, const QString &err)
+{
+    broken_objects[obj] = err;
+}
+
+bool Importer::isObjectBroken(FWObject *obj)
+{
+    return broken_objects.count(obj) != 0;
+}
+
+QString Importer::getBrokenObjectError(FWObject *obj)
+{
+    return broken_objects[obj];
+}
+
diff --git a/src/import/Importer.h b/src/import/Importer.h
index db3f772fd..9700fb7db 100644
--- a/src/import/Importer.h
+++ b/src/import/Importer.h
@@ -142,6 +142,13 @@ protected:
     // use this to quickly find objects to avoid creating duplicates
     std::map<const std::string,libfwbuilder::FWObject*>   all_objects;
 
+    // registry of broken objects. Sometimes we create an AddressTable
+    // or a group object during import that may have some kind of a problem
+    // that we leave for the user to fix manually. In order to be able to mark
+    // all rules that use this object as "broken", we should register these
+    // broken objects somewhere.
+    std::map<libfwbuilder::FWObject*, QString> broken_objects;
+    
     UnidirectionalRuleSet* current_ruleset;
     
     libfwbuilder::Rule* current_rule;
@@ -203,6 +210,10 @@ protected:
     virtual void addOSrv();
 
     virtual void addLogging();
+
+    void registerBrokenObject(libfwbuilder::FWObject *o, const QString &err);
+    bool isObjectBroken(libfwbuilder::FWObject*);
+    QString getBrokenObjectError(libfwbuilder::FWObject*);
     
 public:
 
diff --git a/src/import/PFImporter.cpp b/src/import/PFImporter.cpp
index 6eb8b0ba4..4cf12d90c 100644
--- a/src/import/PFImporter.cpp
+++ b/src/import/PFImporter.cpp
@@ -587,7 +587,12 @@ FWObject* PFImporter::makeAddressObj(AddressSpec &as)
 
     if (as.at == AddressSpec::TABLE)
     {
-        return address_table_registry[as.address.c_str()];
+        FWObject *at = address_table_registry[as.address.c_str()];
+        if (isObjectBroken(at))
+        {
+            error_tracker->registerError(getBrokenObjectError(at));
+        }
+        return at;
     }
 
     return NULL;
@@ -1375,21 +1380,28 @@ void PFImporter::newAddressTableObject(const string &name,
                     .arg(QString::fromUtf8(name.c_str()))
                     .arg(addr_list.join(", ")));
 
-    if (has_negations)
-    {
-        // can not use error_tracker->registerError() here because
-        // tables are created before importer encounters any rules and
-        // so this error can not be associated with a rule.
-        addMessageToLog(
-            QObject::tr("Error: import of table definition with negated addresses is not supported."));
-    }
-
     ObjectMaker maker(Library::cast(library), error_tracker);
     FWObject *og =
         commitObject(maker.createObject(ObjectGroup::TYPENAME, name.c_str()));
     assert(og!=NULL);
     address_table_registry[name.c_str()] = og;
 
+    if (has_negations)
+    {
+        // can not use error_tracker->registerError() here because
+        // tables are created before importer encounters any rules and
+        // so this error can not be associated with a rule.
+        QString err =
+            QObject::tr("Error: import of table definition with negated "
+                        "addresses is not supported.");
+        addMessageToLog(err);
+
+        err =
+            QObject::tr("Address table '%1' has a mix of negated and non-negated "
+                        "addresses in the original file.");
+        registerBrokenObject(og, err.arg(QString::fromUtf8(name.c_str())));
+    }
+
     for (it=addresses.begin(); it!=addresses.end(); ++it)
     {
         FWObject *obj = makeAddressObj(*it);
diff --git a/src/unit_tests/PFImporterTest/test_data/pf-tables.conf b/src/unit_tests/PFImporterTest/test_data/pf-tables.conf
index 85b430f7d..baf82a3da 100644
--- a/src/unit_tests/PFImporterTest/test_data/pf-tables.conf
+++ b/src/unit_tests/PFImporterTest/test_data/pf-tables.conf
@@ -10,3 +10,9 @@ table <dst_addresses_1> { 192.168.1.1, 192.168.1.2, 192.168.2.0/24 }
 table <dst_addresses_2> { pcn0, pcn0:network }
 table <dst_addresses_3> { pcn0:peer, pcn0:0 }
 table <dst_addresses_4> { www.fwbuilder.org, www.netcitadel.com }
+
+# unsupported: this table has a mix of negated and non-negated addresses
+table <dst_addresses_5> { 192.168.10.1, !192.168.10.2, 192.168.20.0/24 }
+
+# the rule should be marked as "broken"
+pass in quick on em1 from <dst_addresses_5> to any
diff --git a/src/unit_tests/PFImporterTest/test_data/pf-tables.fwb b/src/unit_tests/PFImporterTest/test_data/pf-tables.fwb
index 34418c699..1d1ffc76a 100644
--- a/src/unit_tests/PFImporterTest/test_data/pf-tables.fwb
+++ b/src/unit_tests/PFImporterTest/test_data/pf-tables.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="22" lastModified="1307340472" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="22" lastModified="1310086930" id="root">
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
     <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
     <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@@ -434,75 +434,107 @@
       <ObjectGroup id="id2" name="Addresses" comment="" ro="False">
         <IPv4 id="id3" name="h-192.168.1.1" comment="Created during import of  line 9" ro="False" address="192.168.1.1" netmask="255.255.255.255"/>
         <IPv4 id="id4" name="h-192.168.1.2" comment="Created during import of  line 9" ro="False" address="192.168.1.2" netmask="255.255.255.255"/>
+        <IPv4 id="id5" name="h-192.168.10.1" comment="Created during import of  line 15" ro="False" address="192.168.10.1" netmask="255.255.255.255"/>
+        <IPv4 id="id6" name="h-192.168.10.2" comment="Created during import of  line 15" ro="False" address="192.168.10.2" netmask="255.255.255.255"/>
       </ObjectGroup>
-      <ObjectGroup id="id5" name="DNS Names" comment="" ro="False">
-        <DNSName id="id6" dnsrec="www.fwbuilder.org" dnsrectype="A" run_time="True" name="www.fwbuilder.org" comment="" ro="False"/>
-        <DNSName id="id7" dnsrec="www.netcitadel.com" dnsrectype="A" run_time="True" name="www.netcitadel.com" comment="" ro="False"/>
+      <ObjectGroup id="id7" name="DNS Names" comment="" ro="False">
+        <DNSName id="id8" dnsrec="www.fwbuilder.org" dnsrectype="A" run_time="True" name="www.fwbuilder.org" comment="" ro="False"/>
+        <DNSName id="id9" dnsrec="www.netcitadel.com" dnsrectype="A" run_time="True" name="www.netcitadel.com" comment="" ro="False"/>
       </ObjectGroup>
-      <ObjectGroup id="id8" name="Address Tables" comment="" ro="False">
-        <AddressTable id="id9" filename="" run_time="True" name="mike" comment="" ro="False"/>
-        <AddressTable id="id10" filename="" run_time="True" name="BLOCKTEMP" comment="" ro="False"/>
-        <AddressTable id="id11" filename="./pf_block_permanent" run_time="True" name="BLOCKPERM" comment="" ro="False"/>
-        <AddressTable id="id12" filename="./pf_table" run_time="True" name="BLOCK" comment="" ro="False"/>
-        <AddressTable id="id13" filename="" run_time="True" name="spamd-white" comment="" ro="False"/>
+      <ObjectGroup id="id10" name="Address Tables" comment="" ro="False">
+        <AddressTable id="id11" filename="" run_time="True" name="mike" comment="" ro="False"/>
+        <AddressTable id="id12" filename="" run_time="True" name="BLOCKTEMP" comment="" ro="False"/>
+        <AddressTable id="id13" filename="./pf_block_permanent" run_time="True" name="BLOCKPERM" comment="" ro="False"/>
+        <AddressTable id="id14" filename="./pf_table" run_time="True" name="BLOCK" comment="" ro="False"/>
+        <AddressTable id="id15" filename="" run_time="True" name="spamd-white" comment="" ro="False"/>
       </ObjectGroup>
-      <ObjectGroup id="id14" name="Groups" comment="" ro="False">
-        <ObjectGroup id="id15" name="private" comment="Created during import of  line 7" ro="False">
-          <ObjectRef ref="id34"/>
-          <ObjectRef ref="id35"/>
-          <ObjectRef ref="id36"/>
+      <ObjectGroup id="id16" name="Groups" comment="" ro="False">
+        <ObjectGroup id="id17" name="private" comment="Created during import of  line 7" ro="False">
+          <ObjectRef ref="id40"/>
+          <ObjectRef ref="id41"/>
+          <ObjectRef ref="id42"/>
         </ObjectGroup>
-        <ObjectGroup id="id19" name="dst_addresses_1" comment="Created during import of  line 9" ro="False">
+        <ObjectGroup id="id21" name="dst_addresses_1" comment="Created during import of  line 9" ro="False">
           <ObjectRef ref="id3"/>
           <ObjectRef ref="id4"/>
-          <ObjectRef ref="id37"/>
+          <ObjectRef ref="id43"/>
         </ObjectGroup>
-        <ObjectGroup id="id23" name="dst_addresses_2" comment="Created during import of  line 10" ro="False">
-          <ObjectRef ref="id57"/>
-          <ObjectRef ref="id58"/>
+        <ObjectGroup id="id25" name="dst_addresses_2" comment="Created during import of  line 10" ro="False">
+          <ObjectRef ref="id76"/>
+          <ObjectRef ref="id77"/>
         </ObjectGroup>
-        <ObjectGroup id="id26" name="dst_addresses_3" comment="Created during import of  line 11" ro="False">
-          <ObjectRef ref="id57"/>
-          <ObjectRef ref="id57"/>
+        <ObjectGroup id="id28" name="dst_addresses_3" comment="Created during import of  line 11" ro="False">
+          <ObjectRef ref="id76"/>
+          <ObjectRef ref="id76"/>
         </ObjectGroup>
-        <ObjectGroup id="id29" name="dst_addresses_4" comment="Created during import of  line 12" ro="False">
+        <ObjectGroup id="id31" name="dst_addresses_4" comment="Created during import of  line 12" ro="False">
+          <ObjectRef ref="id8"/>
+          <ObjectRef ref="id9"/>
+        </ObjectGroup>
+        <ObjectGroup id="id34" name="dst_addresses_5" comment="Created during import of  line 15" ro="False">
+          <ObjectRef ref="id5"/>
           <ObjectRef ref="id6"/>
-          <ObjectRef ref="id7"/>
+          <ObjectRef ref="id44"/>
         </ObjectGroup>
       </ObjectGroup>
-      <ObjectGroup id="id32" name="Hosts" comment="" ro="False"/>
-      <ObjectGroup id="id33" name="Networks" comment="" ro="False">
-        <Network id="id34" name="net-10/255.0.0.0" comment="Created during import of  line 7" ro="False" address="255.192.0.0" netmask="255.0.0.0"/>
-        <Network id="id35" name="net-172.16/255.240.0.0" comment="Created during import of  line 7" ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
-        <Network id="id36" name="net-192.168/255.255.0.0" comment="Created during import of  line 7" ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
-        <Network id="id37" name="net-192.168.2.0/255.255.255.0" comment="Created during import of  line 9" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
+      <ObjectGroup id="id38" name="Hosts" comment="" ro="False"/>
+      <ObjectGroup id="id39" name="Networks" comment="" ro="False">
+        <Network id="id40" name="net-10/255.0.0.0" comment="Created during import of  line 7" ro="False" address="255.192.0.0" netmask="255.0.0.0"/>
+        <Network id="id41" name="net-172.16/255.240.0.0" comment="Created during import of  line 7" ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
+        <Network id="id42" name="net-192.168/255.255.0.0" comment="Created during import of  line 7" ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
+        <Network id="id43" name="net-192.168.2.0/255.255.255.0" comment="Created during import of  line 9" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
+        <Network id="id44" name="net-192.168.20.0/255.255.255.0" comment="Created during import of  line 15" ro="False" address="192.168.20.0" netmask="255.255.255.0"/>
       </ObjectGroup>
-      <ObjectGroup id="id38" name="Address Ranges" comment="" ro="False"/>
+      <ObjectGroup id="id45" name="Address Ranges" comment="" ro="False"/>
     </ObjectGroup>
-    <ServiceGroup id="id39" name="Services" comment="" ro="False">
-      <ServiceGroup id="id40" name="Groups" comment="" ro="False"/>
-      <ServiceGroup id="id41" name="ICMP" comment="" ro="False"/>
-      <ServiceGroup id="id42" name="IP" comment="" ro="False"/>
-      <ServiceGroup id="id43" name="TCP" comment="" ro="False"/>
-      <ServiceGroup id="id44" name="UDP" comment="" ro="False"/>
-      <ServiceGroup id="id45" name="Users" comment="" ro="False"/>
-      <ServiceGroup id="id46" name="Custom" comment="" ro="False"/>
-      <ServiceGroup id="id47" name="TagServices" comment="" ro="False"/>
+    <ServiceGroup id="id46" name="Services" comment="" ro="False">
+      <ServiceGroup id="id47" name="Groups" comment="" ro="False"/>
+      <ServiceGroup id="id48" name="ICMP" comment="" ro="False"/>
+      <ServiceGroup id="id49" name="IP" comment="" ro="False"/>
+      <ServiceGroup id="id50" name="TCP" comment="" ro="False"/>
+      <ServiceGroup id="id51" name="UDP" comment="" ro="False"/>
+      <ServiceGroup id="id52" name="Users" comment="" ro="False"/>
+      <ServiceGroup id="id53" name="Custom" comment="" ro="False"/>
+      <ServiceGroup id="id54" name="TagServices" comment="" ro="False"/>
     </ServiceGroup>
-    <ObjectGroup id="id48" name="Firewalls" comment="" ro="False">
-      <Firewall id="id49" host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pf" name="test_fw" comment="Created during import of  line 10" ro="False">
-        <NAT id="id53" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+    <ObjectGroup id="id55" name="Firewalls" comment="" ro="False">
+      <Firewall id="id56" host_OS="freebsd" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pf" name="test_fw" comment="Created during import of  line 10" ro="False">
+        <NAT id="id72" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </NAT>
-        <Policy id="id51" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+        <Policy id="id58" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <PolicyRule id="id60" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="Created during import of  line 18&#10;Address table 'dst_addresses_5' has a mix of negated and non-negated addresses in the original file.">
+            <Src neg="False">
+              <ObjectRef ref="id34"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="id79"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="color">#C86E6E</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
           <RuleSetOptions/>
         </Policy>
-        <Routing id="id55" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+        <Routing id="id74" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </Routing>
-        <Interface id="id57" dedicated_failover="False" dyn="True" security_level="0" unnum="False" unprotected="False" name="pcn0" comment="Created during import of  line 10" ro="False">
+        <Interface id="id76" dedicated_failover="False" dyn="True" security_level="0" unnum="False" unprotected="False" name="pcn0" comment="Created during import of  line 10" ro="False">
+          <InterfaceOptions/>
+          <AttachedNetworks id="id77" name="pcn0-net" comment="" ro="False"/>
+        </Interface>
+        <Interface id="id79" dedicated_failover="False" dyn="True" security_level="0" unnum="False" unprotected="False" name="em1" comment="Created during import of  line 18" ro="False">
           <InterfaceOptions/>
-          <AttachedNetworks id="id58" name="pcn0-net" comment="" ro="False"/>
         </Interface>
         <FirewallOptions>
           <Option name="check_shading">true</Option>
@@ -522,7 +554,7 @@
         </FirewallOptions>
       </Firewall>
     </ObjectGroup>
-    <ObjectGroup id="id60" name="Clusters" comment="" ro="False"/>
-    <IntervalGroup id="id61" name="Time" comment="" ro="False"/>
+    <ObjectGroup id="id81" name="Clusters" comment="" ro="False"/>
+    <IntervalGroup id="id82" name="Time" comment="" ro="False"/>
   </Library>
 </FWObjectDatabase>
diff --git a/src/unit_tests/PFImporterTest/test_data/pf-tables.output b/src/unit_tests/PFImporterTest/test_data/pf-tables.output
index d935e7866..5a1242668 100644
--- a/src/unit_tests/PFImporterTest/test_data/pf-tables.output
+++ b/src/unit_tests/PFImporterTest/test_data/pf-tables.output
@@ -12,5 +12,8 @@
 10: New interface: pcn0
 11: Address Table: <dst_addresses_3>:  pcn0, pcn0
 12: Address Table: <dst_addresses_4>:  www.fwbuilder.org, www.netcitadel.com
-Could not find enough information in the data file to create any firewall rules.
-
+15: Address Table: <dst_addresses_5>:  192.168.10.1, !192.168.10.2, 192.168.20.0/24
+15: Error: import of table definition with negated addresses is not supported.
+18: New interface: em1
+18: filtering rule: action pass; interfaces: em1
+18: Error: Address table 'dst_addresses_5' has a mix of negated and non-negated addresses in the original file.