onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 10:17:16 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext):

Browse Source 
fixes #1120 "redundant commands generated for ssh
access". Compiler for PIX generated two "ssh address netmask
inside" commands for the same rule that permits ssh to the firewall.
This commit is contained in:
Vadim Kurland 2010-01-20 20:06:32 +00:00
parent 8db8c61e58
commit 0ded969b45
7 changed files with 53 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2397
#define BUILD_NUM 2398

5
doc/ChangeLog
View File

@ -1,5 +1,10 @@
2010-01-20 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext):
fixes #1120 "redundant commands generated for ssh
access". Compiler for PIX generated two "ssh address netmask
inside" commands for the same rule that permits ssh to the firewall.
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::assembleFwScript):
fixes #1106 "fwb_pix does not include prolog". Prolog script was
not included in generated configuration if firewall object was

2
src/cisco_lib/Helper.cpp
View File

@ -228,7 +228,9 @@ list<int> Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
string("findInterfaceByNetzoneOrAll failed to retrieve first "
"object from the rule element; is argument not of "
"the type RuleElementSrc or RuleElementDst ?"));
return intf_id_list;
}
try
{
intf_id_list.push_back( findInterfaceByNetzone( a ) );

5
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -507,7 +507,10 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
RuleElementDst *ndst=r->getDst();
ndst->clearChildren();
ndst->setAnyElement();
// ndst->addRef( compiler->fw );
// Was commented out in r50
ndst->addRef( compiler->fw );
RuleElementSrv *nsrv=r->getSrv();
nsrv->clearChildren();
nsrv->add( cl.front() );

20
src/cisco_lib/PolicyCompiler_cisco_acls.cpp
View File

@ -60,13 +60,19 @@ using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
/*
* Call this rule processor after splitIfSrcMatchesFw and
* splitIfDstMatchesFw to make sure that if firewall or its interface
* or address is in src or dst, it is the only object there.
*/
bool PolicyCompiler_cisco::setInterfaceAndDirectionBySrc::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Helper helper(compiler);
//RuleElementItf *itfre = rule->getItf();
RuleElementSrc *srcre = rule->getSrc();
RuleElementDst *dstre = rule->getDst();
list<int> intf_id_list;
@ -95,9 +101,12 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionBySrc::processNext()
new_rule->setBool("interface_and_direction_set_from_src",true);
tmp_queue.push_back(new_rule);
}
// preserve original rule as well to let
// setInterfaceAndDirectionByDst work on it.
tmp_queue.push_back(rule);
// If dst does not match firewall, preserve original rule as
// well to let setInterfaceAndDirectionByDst work on it.
FWObject *d = dstre->front();
if (FWReference::cast(d)!=NULL) d = FWReference::cast(d)->getPointer();
if (!compiler->complexMatch(Address::cast(d), compiler->fw))
tmp_queue.push_back(rule);
return true;
}
tmp_queue.push_back(rule);
@ -115,8 +124,7 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionByDst::processNext()
return true;
}
//RuleElementItf *itfre=rule->getItf();
RuleElementDst *dstre=rule->getDst();
RuleElementDst *dstre = rule->getDst();
list<int> intf_id_list;

1
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -803,6 +803,7 @@ void PolicyCompiler_pix::compile()
if (outbound_acl_supported )
{
// Call these after splitIfSrcMatchesFw and splitIfDstMatchesFw
add( new setInterfaceAndDirectionBySrc(
"Set interface and direction for rules with interface 'all' using SRC; v7"));
add( new setInterfaceAndDirectionByDst(

32
test/pix/cluster-tests.fwb
View File

@ -282,7 +282,7 @@
</Library>
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
<Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1264013073" platform="pix" name="cluster1" comment="" ro="False">
<Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1264016648" platform="pix" name="cluster1" comment="" ro="False">
<NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -345,7 +345,27 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id55439X897" disabled="False" group="" log="True" position="2" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<PolicyRule id="id17725X59293" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id2385X39486"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2366X75741"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55439X897" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2735X69605"/>
</Src>
@ -363,7 +383,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<PolicyRule id="id2862X78273" disabled="False" log="True" position="4" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2366X75741"/>
</Src>
@ -381,7 +401,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<PolicyRule id="id2845X78273" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -399,7 +419,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<PolicyRule id="id2828X78273" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id2385X39486"/>
</Src>
@ -417,7 +437,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<PolicyRule id="id2811X78273" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>