From 0ded969b45e625961d535865a6baa58d8c9471bb Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netcitadel.com>
Date: Wed, 20 Jan 2010 20:06:32 +0000
Subject: [PATCH] * PolicyCompiler_cisco_acls.cpp
 (setInterfaceAndDirectionBySrc::processNext): fixes #1120 "redundant commands
 generated for ssh access". Compiler for PIX generated two "ssh address
 netmask inside" commands for the same rule that permits ssh to the firewall.

---
 build_num                                   |  2 +-
 doc/ChangeLog                               |  5 ++++
 src/cisco_lib/Helper.cpp                    |  2 ++
 src/cisco_lib/PolicyCompiler_cisco.cpp      |  5 +++-
 src/cisco_lib/PolicyCompiler_cisco_acls.cpp | 20 +++++++++----
 src/cisco_lib/PolicyCompiler_pix.cpp        |  1 +
 test/pix/cluster-tests.fwb                  | 32 +++++++++++++++++----
 7 files changed, 53 insertions(+), 14 deletions(-)

diff --git a/build_num b/build_num
index b65125f40..a62a32961 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 2397
+#define BUILD_NUM 2398
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 9c8a49f4a..d0eb2017c 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,10 @@
 2010-01-20  vadim  <vadim@vk.crocodile.org>
 
+	* PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext):
+	fixes #1120 "redundant commands generated for ssh
+	access". Compiler for PIX generated two "ssh address netmask
+	inside" commands for the same rule that permits ssh to the firewall.
+
 	* CompilerDriver_pix_run.cpp (CompilerDriver_pix::assembleFwScript):
 	fixes #1106 "fwb_pix does not include prolog". Prolog script was
 	not included in generated configuration if firewall object was
diff --git a/src/cisco_lib/Helper.cpp b/src/cisco_lib/Helper.cpp
index a3b3c3b47..cfdaa9ca4 100644
--- a/src/cisco_lib/Helper.cpp
+++ b/src/cisco_lib/Helper.cpp
@@ -228,7 +228,9 @@ list<int> Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
                 string("findInterfaceByNetzoneOrAll failed to retrieve first "
                        "object from the rule element; is argument not of "
                        "the type RuleElementSrc or RuleElementDst ?"));
+            return intf_id_list;
         }
+
         try
         {
             intf_id_list.push_back( findInterfaceByNetzone( a ) );
diff --git a/src/cisco_lib/PolicyCompiler_cisco.cpp b/src/cisco_lib/PolicyCompiler_cisco.cpp
index f008943bd..92e09f9d3 100644
--- a/src/cisco_lib/PolicyCompiler_cisco.cpp
+++ b/src/cisco_lib/PolicyCompiler_cisco.cpp
@@ -507,7 +507,10 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
             RuleElementDst *ndst=r->getDst();
             ndst->clearChildren();
             ndst->setAnyElement();
-//            ndst->addRef( compiler->fw );
+
+            // Was commented out in r50
+            ndst->addRef( compiler->fw );
+
             RuleElementSrv *nsrv=r->getSrv();
             nsrv->clearChildren();
             nsrv->add( cl.front() );
diff --git a/src/cisco_lib/PolicyCompiler_cisco_acls.cpp b/src/cisco_lib/PolicyCompiler_cisco_acls.cpp
index bee999843..91e637577 100644
--- a/src/cisco_lib/PolicyCompiler_cisco_acls.cpp
+++ b/src/cisco_lib/PolicyCompiler_cisco_acls.cpp
@@ -60,13 +60,19 @@ using namespace libfwbuilder;
 using namespace fwcompiler;
 using namespace std;
 
+
+/*
+ * Call this rule processor after splitIfSrcMatchesFw and
+ * splitIfDstMatchesFw to make sure that if firewall or its interface
+ * or address is in src or dst, it is the only object there.
+ */
 bool PolicyCompiler_cisco::setInterfaceAndDirectionBySrc::processNext()
 {
     PolicyRule *rule=getNext(); if (rule==NULL) return false;
     Helper helper(compiler);
 
-    //RuleElementItf *itfre = rule->getItf();
     RuleElementSrc *srcre = rule->getSrc();
+    RuleElementDst *dstre = rule->getDst();
 
     list<int> intf_id_list;
 
@@ -95,9 +101,12 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionBySrc::processNext()
             new_rule->setBool("interface_and_direction_set_from_src",true);
             tmp_queue.push_back(new_rule);
         }
-        // preserve original rule as well to let
-        // setInterfaceAndDirectionByDst work on it.
-        tmp_queue.push_back(rule);
+        // If dst does not match firewall, preserve original rule as
+        // well to let setInterfaceAndDirectionByDst work on it.
+        FWObject *d = dstre->front();
+        if (FWReference::cast(d)!=NULL) d = FWReference::cast(d)->getPointer();
+        if (!compiler->complexMatch(Address::cast(d), compiler->fw))
+            tmp_queue.push_back(rule);
         return true;
     }
     tmp_queue.push_back(rule);
@@ -115,8 +124,7 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionByDst::processNext()
         return true;
     }
 
-    //RuleElementItf *itfre=rule->getItf(); 
-    RuleElementDst *dstre=rule->getDst();
+    RuleElementDst *dstre = rule->getDst();
 
     list<int> intf_id_list;
 
diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp
index 72959f379..5d6d0b4c9 100644
--- a/src/cisco_lib/PolicyCompiler_pix.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix.cpp
@@ -803,6 +803,7 @@ void PolicyCompiler_pix::compile()
 
         if (outbound_acl_supported )
         {
+            // Call these after splitIfSrcMatchesFw and splitIfDstMatchesFw
             add( new setInterfaceAndDirectionBySrc(
                      "Set interface and direction for rules with interface 'all' using SRC; v7"));
             add( new setInterfaceAndDirectionByDst(
diff --git a/test/pix/cluster-tests.fwb b/test/pix/cluster-tests.fwb
index 3c7d2a01c..900b77b49 100644
--- a/test/pix/cluster-tests.fwb
+++ b/test/pix/cluster-tests.fwb
@@ -282,7 +282,7 @@
   </Library>
   <Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
     <ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
-      <Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1264013073" platform="pix" name="cluster1" comment="" ro="False">
+      <Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1264016648" platform="pix" name="cluster1" comment="" ro="False">
         <NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -345,7 +345,27 @@
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule id="id55439X897" disabled="False" group="" log="True" position="2" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
+          <PolicyRule id="id17725X59293" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
+            <Src neg="False">
+              <ObjectRef ref="id2385X39486"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id2366X75741"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="tcp-SSH"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id55439X897" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
             <Src neg="False">
               <ObjectRef ref="id2735X69605"/>
             </Src>
@@ -363,7 +383,7 @@
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
+          <PolicyRule id="id2862X78273" disabled="False" log="True" position="4" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
             <Src neg="False">
               <ObjectRef ref="id2366X75741"/>
             </Src>
@@ -381,7 +401,7 @@
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
+          <PolicyRule id="id2845X78273" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>
@@ -399,7 +419,7 @@
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id2828X78273" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="id2385X39486"/>
             </Src>
@@ -417,7 +437,7 @@
             </When>
             <PolicyRuleOptions/>
           </PolicyRule>
-          <PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
+          <PolicyRule id="id2811X78273" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>