From 23a0cd7bc57187b6d9397d7d4c6e566c687c9951 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Mon, 29 Mar 2010 21:36:28 +0000 Subject: [PATCH] * RoutingCompiler_iosacl_writers.cpp (PrintRule::_printRItf): fixed #1379 "Should be able to build routing rules with interface as gateway for IOS". Routing rules for IOS now have column "Interface". Rules can be built either with explicit address of the gateway or interface. --- build_num | 2 +- doc/ChangeLog | 6 + src/cisco_lib/RoutingCompiler_iosacl.cpp | 21 +- src/cisco_lib/RoutingCompiler_iosacl.h | 4 +- .../RoutingCompiler_iosacl_writers.cpp | 9 +- src/gui/RuleSetModel.cpp | 36 +- src/gui/RuleSetView.cpp | 12 +- src/res/platform/iosacl.xml | 2 +- test/iosacl/objects-for-regression-tests.fwb | 645 +++++++++++++++++- 9 files changed, 710 insertions(+), 27 deletions(-) diff --git a/build_num b/build_num index 3b11ad6a9..883695e6f 100644 --- a/build_num +++ b/build_num @@ -1 +1 @@ -#define BUILD_NUM 2783 +#define BUILD_NUM 2784 diff --git a/doc/ChangeLog b/doc/ChangeLog index fce31fd4c..5cbf65909 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,11 @@ 2010-03-29 vadim + * RoutingCompiler_iosacl_writers.cpp (PrintRule::_printRItf): + fixed #1379 "Should be able to build routing rules with interface + as gateway for IOS". Routing rules for IOS now have column + "Interface". Rules can be built either with explicit address of + the gateway or interface. + * PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): fixed #1375 Interface group is not expanded in "Interface" rule element by compiler for PF diff --git a/src/cisco_lib/RoutingCompiler_iosacl.cpp b/src/cisco_lib/RoutingCompiler_iosacl.cpp index 2affbfd63..34539d247 100644 --- a/src/cisco_lib/RoutingCompiler_iosacl.cpp +++ b/src/cisco_lib/RoutingCompiler_iosacl.cpp @@ -97,6 +97,23 @@ bool RoutingCompiler_iosacl::ExpandMultipleAddressesExceptInterface::processNext } +bool RoutingCompiler_iosacl::checkRItfAndGw::processNext() +{ + RoutingRule *rule=getNext(); if (rule==NULL) return false; + tmp_queue.push_back(rule); + + RuleElementRItf *itfrel = rule->getRItf(); assert(itfrel); + RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel); + + if (!itfrel->isAny() && !gtwrel->isAny()) + compiler->abort(rule, "Can not use both gateway address and interface in " + "IOS routing rule"); + + return true; +} + + + /** *----------------------------------------------------------------------- */ @@ -121,7 +138,9 @@ void RoutingCompiler_iosacl::compile() // add(new singleAdressInRGtw( // "Check if RGtw object has exactly one IP adress")); - // add(new rItfChildOfFw("Check if RItf is an Iterface of this firewall")); + + add(new rItfChildOfFw("Check if RItf is an Iterface of this firewall")); + add(new checkRItfAndGw("Both gateway and interface can not be used in the same rule")); add(new validateNetwork("Validate network addresses")); add(new reachableAddressInRGtw( diff --git a/src/cisco_lib/RoutingCompiler_iosacl.h b/src/cisco_lib/RoutingCompiler_iosacl.h index e4d78448d..fbe2d016a 100644 --- a/src/cisco_lib/RoutingCompiler_iosacl.h +++ b/src/cisco_lib/RoutingCompiler_iosacl.h @@ -58,7 +58,9 @@ namespace fwcompiler * intact. */ DECLARE_ROUTING_RULE_PROCESSOR(ExpandMultipleAddressesExceptInterface); - + + DECLARE_ROUTING_RULE_PROCESSOR(checkRItfAndGw); + class PrintRule : public RoutingCompiler_cisco::PrintRule { public: diff --git a/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp b/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp index c8d01dbed..f77f1fb3d 100644 --- a/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp +++ b/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp @@ -135,6 +135,13 @@ string RoutingCompiler_iosacl::PrintRule::_printRGtw(RoutingRule *rule) string RoutingCompiler_iosacl::PrintRule::_printRItf(RoutingRule *rule) { + RuleElementRItf *itfrel = rule->getRItf(); + if (!itfrel->isAny()) + { + Interface *itf = + Interface::cast(FWObjectReference::getObject(itfrel->front())); + if (itf != NULL) return itf->getName() + " "; + } return ""; } @@ -152,7 +159,7 @@ string RoutingCompiler_iosacl::PrintRule::RoutingRuleToString(RoutingRule *rule) command_line << "ip route "; command_line << _printRDst(rule); command_line << _printRGtw(rule); - //command_line << _printRItf(rule); + command_line << _printRItf(rule); // default metric in IOS is 1 (can't have metric 0) if (rule->getMetricAsString() == "0") diff --git a/src/gui/RuleSetModel.cpp b/src/gui/RuleSetModel.cpp index 4dab4429e..7646213bd 100644 --- a/src/gui/RuleSetModel.cpp +++ b/src/gui/RuleSetModel.cpp @@ -54,9 +54,9 @@ using namespace libfwbuilder; using namespace std; -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// // RuleSetModelIterator -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// RuleSetModelIterator::RuleSetModelIterator() { @@ -152,9 +152,9 @@ QModelIndex RuleSetModelIterator::index() } -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// // RuleSetModel -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// RuleSetModel::RuleSetModel(RuleSet *ruleset, QObject *parent) : QAbstractItemModel(parent) { @@ -1112,14 +1112,22 @@ bool RuleSetModel::insertObject(QModelIndex &index, FWObject *obj) { if (RuleElementRItf::cast(re)) { - QMessageBox::information( NULL , "Firewall Builder", - "A single interface belonging to this firewall is expected in this field.", + QMessageBox::information( + NULL , "Firewall Builder", + QObject::tr( + "A single interface belonging to " + "this firewall is expected in this field."), QString::null,QString::null); } else if (RuleElementRGtw::cast(re)) { - QMessageBox::information( NULL , "Firewall Builder", - "A single ip adress is expected here. You may also insert a host or a network adapter leading to a single ip adress.", + QMessageBox::information( + NULL , "Firewall Builder", + QObject::tr( + "A single ip address is expected " + "here. You may also insert a host " + "or a network adapter leading to " + "a single ip adress."), QString::null,QString::null); } return false; @@ -1338,9 +1346,9 @@ void RuleSetModel::copyRuleWithoutId(Rule* fromRule, Rule* toRule) } } -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// // PolicyModel -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// void PolicyModel::configure() { @@ -1452,9 +1460,9 @@ bool PolicyModel::checkRuleType(libfwbuilder::Rule *rule) return rule->getTypeName() == PolicyRule::TYPENAME; } -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// // NatModel -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// void NatModel::configure() { @@ -1542,9 +1550,9 @@ bool NatModel::checkRuleType(libfwbuilder::Rule *rule) return rule->getTypeName() == NATRule::TYPENAME; } -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// // RoutingModel -////////////////////////////////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////// void RoutingModel::configure() { diff --git a/src/gui/RuleSetView.cpp b/src/gui/RuleSetView.cpp index 9c864f45e..8fb01b5e5 100644 --- a/src/gui/RuleSetView.cpp +++ b/src/gui/RuleSetView.cpp @@ -2172,17 +2172,19 @@ bool RuleSetView::validateForInsertion(RuleElement *re, FWObject *obj, bool quie { QMessageBox::information( NULL , "Firewall Builder", - "A single interface belonging to this firewall is " - "expected in this field.", + QObject::tr( + "A single interface belonging to this firewall is " + "expected in this field."), QString::null,QString::null); } else if (RuleElementRGtw::cast(re)) { QMessageBox::information( NULL , "Firewall Builder", - "A single ip adress is expected here. You may also " - "insert a host or a network adapter leading to a single " - "ip adress.", + QObject::tr( + "A single ip adress is expected here. You may also " + "insert a host or a network adapter leading to a single " + "ip adress."), QString::null,QString::null); } } diff --git a/src/res/platform/iosacl.xml b/src/res/platform/iosacl.xml index 54f7db51e..f3b4de1bc 100644 --- a/src/res/platform/iosacl.xml +++ b/src/res/platform/iosacl.xml @@ -107,7 +107,7 @@ interface %in False False False - False + True False False True diff --git a/test/iosacl/objects-for-regression-tests.fwb b/test/iosacl/objects-for-regression-tests.fwb index 4ac1dfe5a..c43d3d2c1 100644 --- a/test/iosacl/objects-for-regression-tests.fwb +++ b/test/iosacl/objects-for-regression-tests.fwb @@ -1,6 +1,6 @@ - + @@ -419,6 +419,7 @@ + @@ -441,6 +442,7 @@ + @@ -1643,7 +1645,7 @@ - + @@ -2069,6 +2071,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + @@ -2163,7 +2189,7 @@ - + @@ -2449,6 +2475,18 @@ + + + + + + + + + + + + @@ -6389,6 +6427,607 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +