onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-01-19 17:32:36 +01:00
Code Issues Releases Wiki Activity

merge from v3_1_merge

Browse Source
This commit is contained in:
Vadim Kurland 2009-09-23 17:00:48 +00:00
commit 23ee2d9531
750 changed files with 57549 additions and 24126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
VERSION
View File

@ -1,9 +1,10 @@
#-*- mode: shell-script; tab-width: 4; -*-
# $Id: VERSION,v 1.47 2007/07/21 23:44:19 vkurland Exp $
FWB_MAJOR_VERSION=3
FWB_MINOR_VERSION=1
FWB_MICRO_VERSION=0
# VERSION must be a string rather than $var because of the build scripts
VERSION="3.1.0"
SHORTVERSION="310"

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1067
#define BUILD_NUM 1481

2
config.h.in
View File

@ -90,6 +90,8 @@
#undef HAVE_ANTLR_RUNTIME
#undef HAVE_QTDBUS
/*
* on some platforms (OpenBSD) the second parameter to dlopen is different
*/

33
configure.in
View File

@ -270,11 +270,15 @@ else
fi
AC_DEFINE_UNQUOTED(HAVE_ANTLR_RUNTIME, 1, [antlr_runtime])
AC_DEFINE_UNQUOTED(HAVE_EXTERNAL_ANTLR, $HAVE_EXTERNAL_ANTLR, [external_antlr])
AC_SUBST(HAVE_ANTLR_RUNTIME)
AC_SUBST(HAVE_EXTERNAL_ANTLR)
AC_SUBST(HAVE_ANTLR_RUNTIME)
AC_SUBST(HAVE_EXTERNAL_ANTLR)
AC_SUBST(ANTLR_LIBS)
AC_SUBST(ANTLR_INCLUDEPATH)
# Need real test for this, but at least for now it seems Qt comes with
# QtDBus support on all platforms except Windows
AC_DEFINE_UNQUOTED(HAVE_QTDBUS, 1, [qtdbus])
AC_SUBST(HAVE_QTDBUS)
dnl ********************************************************************
@ -419,6 +423,7 @@ test -n "$OS_SOLARIS" && AC_DEFINE_UNQUOTED(OS_SOLARIS,"${OS_SOLARIS}",[solaris]
test -n "$OS_FREEBSD" && AC_DEFINE_UNQUOTED(OS_FREEBSD,"${OS_FREEBSD}",[freebsd])
test -n "$OS_OPENBSD" && AC_DEFINE_UNQUOTED(OS_OPENBSD,"${OS_OPENBSD}",[openbsd])
test -n "$OS_LINUX" && AC_DEFINE_UNQUOTED(OS_LINUX, "${OS_LINUX}", [linux])
test -n "$OS_SECUWALL" && AC_DEFINE_UNQUOTED(OS_SECUWALL, "${OS_SECUWALL}", [secuwall])
test -n "$OS_UNKNOWN" && AC_DEFINE_UNQUOTED(OS_UNKNOWN,"${OS_UNKNOWN}",[unknown])
AC_SUBST(DISTRO)
@ -447,31 +452,7 @@ AC_CONFIG_FILES([ qmake.inc ])
AC_CONFIG_FILES([ src/res/objects_init.xml ])
AC_CONFIG_FILES([ src/res/templates.xml ])
AC_CONFIG_FILES([ src/res/resources.xml ])
AC_CONFIG_FILES([ src/res/os/endian.xml ])
AC_CONFIG_FILES([ src/res/os/freebsd.xml ])
AC_CONFIG_FILES([ src/res/os/fwsm_os.xml ])
AC_CONFIG_FILES([ src/res/os/ios.xml ])
AC_CONFIG_FILES([ src/res/os/ipcop.xml ])
AC_CONFIG_FILES([ src/res/os/linksys.xml ])
AC_CONFIG_FILES([ src/res/os/linux24.xml ])
AC_CONFIG_FILES([ src/res/os/macosx.xml ])
AC_CONFIG_FILES([ src/res/os/oneshield.xml ])
AC_CONFIG_FILES([ src/res/os/openbsd.xml ])
AC_CONFIG_FILES([ src/res/os/openwrt.xml ])
AC_CONFIG_FILES([ src/res/os/pix_os.xml ])
AC_CONFIG_FILES([ src/res/os/solaris.xml ])
AC_CONFIG_FILES([ src/res/os/unknown_os.xml ])
AC_CONFIG_FILES([ src/res/platform/fwsm.xml ])
AC_CONFIG_FILES([ src/res/platform/iosacl.xml ])
AC_CONFIG_FILES([ src/res/platform/ipf.xml ])
AC_CONFIG_FILES([ src/res/platform/ipfw.xml ])
AC_CONFIG_FILES([ src/res/platform/iptables.xml ])
AC_CONFIG_FILES([ src/res/platform/pf.xml ])
AC_CONFIG_FILES([ src/res/platform/pix.xml ])
AC_CONFIG_FILES([ src/res/platform/unknown.xml ])
AC_OUTPUT

1279
doc/ChangeLog
View File

@ -1,3 +1,1159 @@
2009-09-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler.cpp (ItfNegation::processNext): (change in
libfwbuilder) fix for bug #2710034 "PF Compiler in 3.0.3
Unprotected Interface Bug". When we expand "interface" rule
element which uses negation, skip unprotected interfaces.
2009-09-16 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): Fixed
security issue with temporary file handling in the generated
iptables script. The problem only affects Linux systems where
Firewall Builder is used to generate static routing
configuration. The problem exists in Firewall Builder versions
3.0.4, 3.0.5, 3.0.6
2009-09-14 vadim <vadim@vk.crocodile.org>
* standardized compiler error and warning messages using format
fw_name:ruleset_name:rule_number: warning: message
fw_name:ruleset_name:rule_number: error: message
* dialogs that show compiler output recognize error and warning
messages and highlight them using different color and bold font.
2009-09-07 vadim <vadim@vk.crocodile.org>
* single rule compile feature implemented for all
platforms (iptables, ipfilter, pf, ipfw, iosacl, pix) and
integrated with the GUI. Currently using keyboard shortcut "x".
Fixes #23.
2009-09-06 vadim <vadim@vk.crocodile.org>
* RuleSetView_single_rule_compile.cpp (RuleSetView::compileForCurrentRow):
Single rule compile implementation. Currently this is triggered by
hitting keyboard key 'x', the event is processed by RuleSetView
class which calls RuleSetView::compileForCurrentRow(). This
creates compiler driver object and calls it to compile currently
selected rule. The result is shown in the editor panel. User can
select parts or the whole of the generated script in the editor
panel but it is read-only. Works only with iptables yet. Refs #23.
* src/iptlib/iptlib.pro (SOURCES): Moved all modules for fwb_ipt
except main module ipt.cpp to a separate library so that they can
be linked with either command line compiler fwb_ipt or the
GUI. Refs #23
2009-09-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printDstService):
fixed bug (no #): policy compiler for Cisco IOS ACL did not add
icmp type to the generated ipv6 access-list statements for rules
that matched ICMPv6 services.
2009-09-03 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/update_bridge: configlet that updates
bridge interfaces will now completely synchronize interfaces with
configuration created in fwbuilder even if no bridge interfaces
are used in fwbuilder. Bridge interfaces that exist on the
firewall but not in fwbuilder will be deleted and those that exist
in fwbuilder but are missing on the machine will be added. Bridge
ports are deleted and added after bridge interfaces have been
synchronized.
* src/res/configlets/linux24/update_vlans: fixed command line in
the command that removed vlan interface
2009-08-30 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::addToLog): fixed bug #2847263
"Batch compiling incrementally slow". The time it took to add a
log line to the progress window in the "Compile" dialog slowed
down a lot as amount of text in QTextEditor increased.
2009-08-28 vadim <vadim@vk.crocodile.org>
* ProjectPanel.cpp (ProjectPanel::event): instead of several
methods in FWWindow that scan all project panel windows and
execute some operation, using user defined events. Currently have
two events: dataModifiedEvent and updateObjectInTreeEvent. The
first one signals that some object has changed so that
ProjectPanel::event() can update timestamps and do other things.
It then posts the second event, which it will catch and process on
the next event processing run. The second event does UI updates.
Both events carry file name and object ID. Only those ProjectPanel
objects that have the same file process the event. Events are
dispatched to project panels in FWWindow::event(). Concentrating
all UI update logic in one place helps avoid unnecessary redraws.
This replaces FWWIndow::updateLastModifiedTimestampForOneFirewall,
FWWindow::updateLastModifiedTimestampForAllFirewalls,
FWWindow::reloadAllWindowsWithFile.
* interfaceProperties.cpp (interfaceProperties::manageIpAddresses):
this is a generic method that implements a policy to decide
whether generated script should manage ip addresses of a given
interface. It checks if it belongs to a cluster or a firewall and
failover protocol (if it belongs to a cluster). It fills two
lists: one is the list of addresses that the interface should have
and another is a list of interfaces the script must not remove
even if they are assigned to the interface. The method uses data
from host_os XML resource file.
2009-08-27 vadim <vadim@vk.crocodile.org>
* CompilerDriver.cpp (CompilerDriver::mergeRuleSets): See #372:
this change reverses the logic of the program when it merges rule
sets from the cluster into its member firewalls. In the original
Secunet implementation rule sets of members were ignored and only
one top level rule set from the cluster was ever used. Now we
check if member firewall has rule set of the same name as cluster
and use it if it is not empty and issue a warning. If rule set of
the member firewall with the same name is empty, rules from the
cluster are used. All rule sets of the cluster that do not match
anything in member firewalls are merged into firewalls and used
for compilation. This way, we can have multiple rule sets in the
cluster and can have slightly different rules in member firewalls
if necessary. See ticket #372 for more details and info for the
documentation.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::addPredefinedPolicyRules):
fixes #388: "automatic rules are added to second rule set in
cluster member". IF a cluster member firewall had several policy
rule set objects, automatic rules for conntrackd, vrrp, heartbeat
were added multiple times.
* OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands):
fixes #387: add calls to update_addresses shell function in
generated script even for interfaces with no ip addresses. This
way, if such interface has an address on the machine, it will be
removed. This helps synchronize configuration with fwbuilder when
user removes all addresses from an interface and converts it to
"unnumbered". Note that update_addresses never removes scope link
and scope host addresses of the interface even if they are not
configured in fwbuilder GUI.
* PolicyCompiler_pf.cpp (SplitDirection::processNext): applied
patch per #2844561: "PF Compiler Direction Both Duplicate for
Route Action". Need to split the rule if direction is Both
and action is Route.
* newFirewallDialog.cpp (newFirewallDialog::templateSelected):
fixed bug #2844596: "Crash during newFirewallDialog". GUI crashed
if user clicked "next" in the new firewall dialog to open page
with templates, then clicked "Back" and then "Next" again.
* ObjectManipulator.cpp (ObjectManipulator::select): fixed bug
#2845667 "Crash after find object". When host object was found
using "Find object" function while searching by ip address,
clicking on the selected host in the tree caused crash.
* VERSION (LIBFWBUILDER_SOMAJOR): started 3.0.7
2009-08-26 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::validateForPaste):
User should be able to add vlan interface to a bridge (vlan
interface becomes bridge port). Fixes #384
* CompilerDriver.cpp (CompilerDriver::populateClusterElements):
moved this method from class Compiler. fixes #367
* CompilerDriver_compile.cpp (compileSingleRule): entry point for
single rule compile. Takes one argument - rule ID and returns a
QMap<QString,QString> where key is firewall name and value is
generated script for this rule. Currently using this entry point
in the command line compilers via cli argument -s rule_id. Fully
implemented in fwb_ipt. Fixes #358, #206
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): using
std::auto_ptr to protect OSConfigurator, PolicyCompiler and
NATCompiler objects and to properly delete them to avoid memory
leaks in fwb_ipt. fixes #371
2009-08-24 vadim <vadim@vk.crocodile.org>
* CompilerDriver.cpp (CompilerDriver::commonChecks2): refactored
bunch of common sense checks from compilers for ipt and pf into
common module. This also fixes #337 by checking if it is ok for
the cluster interface to have no ip address using xml resource
file for the fw host OS. Protocols such as heartbeat and openais
can operate when failover interface has no shared cluster address
because these protocls can use multicast address. However
configuration when cluster interface using one of these protocols
has shared IP is also legit. The check here only suppresses error
message when interface has no ip.
* platforms.cpp (setInterfaceTypes): Fixes #335 : if interface
name matches naming convention for vlan interfaces and vlan type
is in the list that came from the resource file, then leave only
vlan in the list we return. Note that if resource file says this
subint can not be vlan, we dan't return vlan type on the list even
if its name looks like it could be one.
* ProjectPanel.cpp (ProjectPanel::updateTreeViewItemOrder):
Removed ProjectPanel::updateTreeViewItemOrder() and removed call
to it from ObjectEditor::notifyChangesApplied(). We take care of
QT bug workaround for improper sorting in other places. This
change fixes #329.
2009-08-21 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::newInterface): If
newly created interface object is a top-level interface, always
set its type to "ethernet". If it is subinterface, call
guessInterfaceType() to guess.
* ObjectManipulator.cpp (guessInterfaceType): fixes #334. the GUI
guesses correct subinterface type when it is created and when user
hits "Apply" in the interface object dialog after some changes
have been made. If inetrface name matches one of the patterns of
the vlan inetrface for the given OS, its type is set to "vlan" and
vlan ID is assigned. If its name does not match naming pattern of
a vlan interface but parent interface type is "bridge" or
"bonding", subinterface type is set to "ethernet". This covers
most of the use cases and makes subinterface type assignment
automatic.
* ObjectManipulator.cpp (ObjectManipulator::newInterfaceAddress):
fixes #330: the name of the ip address of an interface should
follow the schema "firewall:interface:subinterface:ip". The same
schema should be followed when address object is automatically
renamed when the user renames firewall or interface object.
* ObjectManipulator.cpp (ObjectManipulator::copyObj): call
Interface::getOptionsObject() at the beginning of copy and
dragStart operations to make sure interface has options object
later in paste and drop operations when we need it to do some
validation checks.
2009-08-20 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::validateForPaste):
perform checks for the valid vlan subinterface configuration
for copy/paste and d&d drop operations; this uses the same
algorithms as the check done when user renames an interface.
This means user can not copy/paste or d&d interface "eth1.100"
to make it a subinterface of "eth0" or top-level interface.
* InterfaceDialog.cpp (InterfaceDialog::validate): Additional
checks for validity of interface name: the name can not contain
white space, if the name looks like vlan interface, checking
if it is valid (base name must match name of the parent interface
and vlan ID must be in the allowed range)
* InterfaceDialog.cpp (InterfaceDialog::applyChanges): Fixes #328:
"automatically assign vlan id to interface based on interface
name". The GUI automatically sets interface type to "vlan" and
configures vlan ID if user changes name of the interface to
something that matches regex for vlan interfaces on given OS.
This is done when user hits "Apply" button in the Interface object
dialog.
* src/compiler_lib/interfaceProperties.h (class
interfaceProperties): refactored class linux24Intrfaces into class
hierarchy with base class interfaceProperties and factory
class interfacePropertiesObjectFactory. These classes are now
part of the compiler extensions library in src/compiler_lib
and can be used by both the GUI and compilers.
* Configlet.cpp (Configlet::Configlet): New constructor for the
class Configlet accepts os name perifx and default os name prefix.
If configlet file is not found in the directory defined by the
first prefix, the program tries to find it in the default place
defined by the second prefix.
* src/res/configlets/sveasoft/script_skeleton: Using separate
configlets for Linksys/Sveasoft host os.
2009-08-19 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::newInterfaceAddress):
fixes #318: New ip address of interface was always created with
the same name even if there was an address object with the same
name under the same interface.
* OSConfigurator_linux24_interfaces.cpp (validateInterfaces):
Tests for unsupported interface configurations, see #315, 324.
The first test scans all subinterfaces of each interface and tries
to find top level inetrfaces wth the same name, then checks their
type. For the combination some_interface/br1, we look for the top
level interface "br1" and if it exists and its type is "bridge",
then this is unsupported configuration. This test does not allow
subinterface to have the same name as a bridge interface
regardless of the type of the parent interface. So, bridge/bridge
or bonding/bridge combinations are not allowed. The test has to
search top level interfaces because bridge port subinterfaces can
be copies (e.g. when a vlan interface is at the same time a bridge
port).
The second test looks for the following combinations: 1) vlan
interfaces under bridge interface (e.g. br0 = [eth1, eth2], vlan
inetrface br0.100 is not supported) and 2) vlan interfaces as
slaves of bonding interfaces (e.g. eth0.100, eth1.100, bond0
= [eth0.100, eth1.100], note the difference between this and vlan
of bonding interface such as bond0.201). Only regular interfaces
can be slaves of bonding interface. If subinterface type is
"ethernet" but its name matches one of the vlan interface regexes,
assume this is vlan. Slave subintrfaces do not have to be copies,
one can have "eth4" only once, as a slave, so we cant search for a
top level interface with the same name and rely on the
subinterface type.
2009-08-18 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::makeNameUnique): The
program should never change the name of vlan interface when such
interface is being copied/pasted or dropped to become a
subinterface. The name of the vlan interface carries vlan ID and
changing name is not allowed. One of the typical usage patterns is
to create vlan interface "eth0.101" and then immediately try to
copy/paste it to under br0 to make it bridge port. In this case
interface eth0.101 wont have type "8021q" just yet because the
user did not open interface "advanced" settings dialog to set its
type and VLAN ID. Users assume that if its name is "eth0.101",
then it must be vlan interface. We should follow this assumption
too. Also, check for names "vlanNNN" as well.
* ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo):
during "paste" operation, call makeNameUnique() to make the name
of the copy unique before actually adding the object to its
parent. Otherwise makeNameUnique() finds it and changes the name.
* src/res/configlets/ipcop/script_skeleton: Using configlet to
define script structure for generated IPCOP script. IPCOP script
is executed as /etc/rc.d/rc.firewall.local and does not manage ip
addresses of interfaces or vlan/bond/bridge interfaces so it does
not need corresponding shell functions. Script can check if
interfaces configured in fwbuilder GUI match actual appliance, so
the shell code to do that is included. Since we should be able to
use interfaces with addresses assigned dynamically in rules, the
code that gets their addresses at run time is included. Code to
check if data files used by run time address table objects exist
is also included. Using configlets helps better manage what is
included for the given os family ("linux24" or "ipcop" or some
other in the future). Also, user can override our configlets by
placing file with the same name in "fwbuilder/configlets"
directory in their $HOME.
2009-08-17 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/shell_functions: cleaned up coding
style in shell functions in configlets: using uniform 4 spaces
indentation.
* src/res/configlets/linux24/script_skeleton: This configlet
defines structure of generated iptables script. Script recognizes
the following command line options: start|stop|interfaces
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Building
whole iptables script from configlet.
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::configureInterfaces):
See #314. Need to update vlans and bond interfaces first and only
then deal with bridges because bridge may use bonding interface or
vlan created in the first step. Unsupported configurations: vlan
interfaces under bridge interface (e.g. br0 = [eth1, eth2], vlan
inetrface br0.100 is not supported), bridge interface as part of
bonding interface (e.g. bond0 = [br0, br1]), vlan interface as a
slave of bonding interface (e.g. eth0.100, eth1.100, bond0
= [eth0.100, eth1.100]). Only regular interfaces can be slaves of
bonding interface; vlans can be created under bonding interface
(e.g. bond0.100), both regular interfaces and vlans can be bridge
ports. Script first updates bonding interfaces, then updates all
vlans, including possibly those under bonding interfaces, and
finally updates bridge configurations using interfaces created in
first two steps.
2009-08-12 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
#2836321: "SNAT rule that changes Trans Src and Trans Port does
not work". Dual translation rule that changes source address and
destination port was not supported.
2009-08-10 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): For bug
#2835193: "Modulate state doesnt work for PF". Check variable
"modulate state" in rule optiopns and global firewall options. If
checkbox is turned on in the firewall options, then we always use
"modulate state". This option can also be turned on for an
individual rule using rule options dialog.
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): Fixed
bug #2835193: "Modulate state doesnt work for PF". The name Xml
attribute used to hold the value of "module state" option was
entered incorrectly in the dialog.
2009-08-09 vadim <vadim@vk.crocodile.org>
* ipfw.cpp (main): compiler for ipfw uses new manifest format
and supports remote file name for the generated .fw script
Fixes #308
* ipf.cpp (main): compiler for ipfilter uses new manifest format
and supports remote file names for generated .fw and .conf
files. Fixes #307
* CompilerDriver_pf.cpp (CompilerDriver_pf::getRemoteConfFileName):
compiler for PF uses new manifest format and supports remote file names
for generated .fw and .conf files. Fixes #306
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): compiler
for iptables uses new manifest format to implement support for
alternative name of the script on the firewall. Fixes #305
2009-08-08 vadim <vadim@vk.crocodile.org>
* instDialog.cpp: Installation process is controlled by sevral
variables that the user can change in the "advanced" dialog
for the firewall platform:
Tab "Compiler":
- output file name
- script name on the firewall
- for PF and ipfilter additionally .conf file name on the firewall
Tab "Installer":
- directory on the firewall where script should be installed
- command that installer should execute on the firewall
These variables have default values if input fields are left blank
in the dialog as follows:
output file name: the name of the firewall object, plus extension
".fw". For PF two files are generated: <firewall>.fw and
<firewall>.conf; for ipfilter files <firewall>.fw, <firewall>-ipf.conf
and <firewall>-nat.conf are generated.
script name on the firewall: the same as the output file name
directory on the firewall: "/etc"
command that installer executes to activate policy: installer runs
script <firewall>.fw
If user enters alternative name in the "script name on the
firewall", it is used when generated script is copied to the
firewall. There are two input fields in the dialogs for PF and ipf
where user can enter alternative name for the .fw script and .conf
file. The name can be relative or absolute path. If it is a
relative path or just a file name, it is treated as a file name in
the directory specified by the "directory on the firewall" input
field in the "Installer" tab. If the name is an absolute path, the
directory entered in "directory on the firewall..." input field is
ignored. If user entered alternative name for the script on the
firewall, the command that installer should execute to activate it
must be entered as well. If the alternative name was entered as an
absolute path, activation command should take this into account
and use the same absolute path. The command can start with "sudo "
if user account used to copy and activate policy is not root.
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
Added input fields to the "advanced" dialogs for iptables, pf,
ipfilter and ipfw to make it possible to specify the name of the
generated script on the firewall. With this change, fwbuilder can
generate the script using unique name but use standard common name
such as "rc.firewall" when the script is copied to the firewall
machine. This is important when two firewalls that are part of a
cluster are compiled at the same time. In this case we can not use
name such as "rc.firewall" for the output script because file
generated for the second firewall in the pair overwrites the one
generated earlier for the first. Now we can use unique names for
scripts generated for each member of the pair but copy them to the
firewall machines using the same common name. Fixes #304 The
implementation is not complete yet, I still need to make changes
in the installer and policy compilers.
2009-08-07 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/process_bridge: Configlets that
updated ip addresses, vlan, bridge and bonding interfaces bring
interfaces up using $IFCONFIG command. Fixes #301
2009-08-06 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::actuallyPasteTo): When
a subinterface is copied to make a subinterface of another
interface, the type of the copy is reset to "ethernet". If the
type was retained, it was easy to create subinterface with invalid
type without obvious signs in the GUI that this has happened. For
example, if vlan subinterface was copied to make subinterface of a
bridge interface, it retained type "8021q" but ended up as a child
of interface with the name that did not match. The intention was
to use vlan subinterface as a bridge port, but compiler issued an
error because of a subinterface having illegal name (name is only
checked for vlan subinterfaces). Fixes #299
* PrefsDialog.cpp: Added a page to the global Preferences dialog
where user can enable/disable target firewall platforms and host
OS. Disabled platforms and OS do not appear in the drop-down lists
in a "new firewall" and "new cluster" dialogs, as well as object
editor panel. This helps reduce clutter if user only works with a
couple of platforms and OS. Default setting of the status for each
platform and os comes from the corresponding XML resource
file. This way we can ship the program with some host OS or
platforms disabled by default, but the user can still enable them.
Settings in users preferences override default status setting
in the resource file. Fixes #262
* ObjectManipulator.cpp (ObjectManipulator::newAddressRange):
newly created objects get default name that is the same as the
type name with no "New ..." prefix.
* ObjectTreeView.cpp (ObjectTreeView::dropEvent): if user drags an
object in the tree and drops it beyond the last tree item, the
program should ignore this drop operation and do nothing (it used
to crash). Added checks for this condition. Fixes #294
* ObjectManipulator.cpp (ObjectManipulator::makeNameUnique): while
guessing the name of the new interface or trying to avoid
duplicate names during copy/paste, we should not change names of
the vlan interfaces. Fixes #296
2009-08-05 vadim <vadim@vk.crocodile.org>
* FWWindow.cpp (FWWindow::prepareToolsMenu): disable
Tools/Discover menu if all internal windows were closed and there
is no active object tree where discovered objects could be
created. Fixes #291
* ObjectManipulator.cpp (ObjectManipulator::relocateTo): Added
check for when user tries to drag&drop an object onto itself in
the tree. Fixes #292
2009-08-04 vadim <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::newInterface): when
user creates interfaces of a firewall or a cluster using context
menu "Add Interface" in the object tree, the program finds
interface that was created most recently and uses its name as a
prototype, automatically incrementing its number. For example, if
the user needs to create several "eth" interfaces, the program
will automatically create "eth0", "eth1", "eth2" etc. whithout the
need for the user to rename them. Fixes #277
* configure.in: Removed all .xml.in resource files in src/res/
src/res/os and src/res/platform. The only configurable attribute
in these was "version", which is not required and was not used
anywhere. Fixes #269
* PolicyCompiler_PrintRule.cpp (PrintRule::_printOptionalGlobalRules):
automatically added rule that matches packets in state INVALID
should use log prefix that says it is for state INVALID. The rule
now ignores user-defined global logging prefix and always uses
"INVALID state -- DENY ". Fixes #283
2009-08-04 Vadim Kurland <vadim@vk.crocodile.org>
* heartbeatOptionsDialog.cpp (heartbeatOptionsDialog::heartbeatOptionsDialog):
Added GUI elements to allow the user to change multicast address
for heartbeat. Deafault address is 224.0.10.100. Fixes #213
* clusterMembersDialog.cpp (clusterMembersDialog::firewallAdd):
enabled multiple object selection in the left panel of the cluster
member management dialog. User can select several interfaces using
Ctrl-click (or Command-Click on Mac OS X) and then move them all
to the right panel at once. Fixes #254
* ObjectEditor.cpp (ObjectEditor::notifyChangesApplied): Dialogs
that have buttons to open "advanced" settings dialogs now save
changes and disable "Apply" button when such additional dialog is
opened. This includes Firewall, Interface, cluster group and few
other objects. Previously changes were saved as well but the
"Apply" button was not disabled, making impression that changes
were not saved into the object. Fixes #286
2009-08-03 Vadim Kurland <vadim@vk.crocodile.org>
* ObjectManipulator.cpp (ObjectManipulator::autorename): See #273:
"child objects not getting renamed". Autorename function should
rename ip and mac addresses of interfaces and subinterfaces when
the host or parent interface name changes.
* newClusterDialog.cpp (newClusterDialog::finishClicked): See
#211: "interface type mismatch between member interfaces and
cluster interface". When cluster object was created manually and
failover type was set to "heartbeat" or "openais" for its
interfaces, the type was not properly set in created objects.
2009-08-02 vadim <vadim@vk.crocodile.org>
* ObjectTreeView.cpp (ObjectTreeView::dropEvent): Dragging several
subinterfaces from one parent interface to another created
bizzarre tree-like structure where each of these subinterfaces
became subinterface of another. See #280. Fixed in r1254
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule):
Added test to make sure ip address entered by the user in the
StateSync group dialog for conntrack is valid. Fixes #220
* CompilerDriver_ipt_cluster.cpp (CompilerDriver_ipt::processStateSyncGroups):
The program did not find StateSync group member inetrfaces when
they were subinterfaces and as the result compiler did not
generate automatic policy rules for conntrack. Fixed in r1253
* ObjectManipulator.cpp (ObjectManipulator::prepareForInsertion):
DTD does not allow nested subinterfaces; only one level of
subinterfaces is supported. Interface::validateChild() now checks
for this condition and the GUI shows detailed error message dialog
when user tries to move interface that has subinterfaces under
another interface using copy/paste or d&d. Fixes #275
* ObjectManipulator.cpp (ObjectManipulator::relocateTo): When user
dragged an interface that has child objects (ip address, MAC
address) and dropped it in a different place in the object tree,
the program would show only the interface object in the new place
but not its children. Should be using insertSubtree() to fix
this. Fixes #276
2009-08-01 vadim <vadim@vk.crocodile.org>
* ProjectPanel_file_ops.cpp (ProjectPanel::chooseNewFileName): If
user forgot to add .fwb suffix to the file name they entered in
the "Save As" function, the program automatically adds it.
See #234
* CompilerDriver.cpp (CompilerDriver::commonChecks): compiler
should check that cluster member firewalls are configured to use
different output file names. See #237
* OSConfigurator_linux24::printVerifyInterfacesCommands: function
verify_interfaces uses configlet "verify_interfaces" and checks if
all interfaces of the firewall defined in the GUI really exist,
including bonding, vlan and bridge interfaces.
* OSConfigurator_linux24::printInterfaceConfigurationCommands:
Using configlet process_addresses to implement shell commands that
incrementally add and remove addresses on interfaces. Added
support for IPv6 addresses. Addresses found on the actual
interfaces of the firewall are compared with those defined in
fwbuilder objects and missing ones are added and those not defined
in fwbuilder are deleted. If a firewall is a cluster member using
heratbeat for failover, ip addresses associated with heartbeat
failover groups are skipped. The script wont delete these on the
firewall that is active at the moment when script runs and wont
add them to the passive firewall because that would interfere with
operation of heartbeat. The same is done for OpenAIS
protocol. Fixes #270 , See #261
2009-07-31 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24_interfaces.cpp (OSConfigurator_linux24::printVlanInterfaceConfigurationCommands):
Using configlets to generate shell script that incrementally
updates (adds and removed) VLAN, bridge and bonding interfaces.
See #261
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions):
Using configlets to generate iptables script.
* Configlet.cpp (Configlet::Configlet): generic class to read
fragment of generated script from an external file, possibly do
macro substitution and then insert the contents into generated
script. Configlets are stored in files in the resources directory
that is part if installed package (/usr/share/fwbuilder/configlets
on Linux, fwbuilder31.app/Contents/Resources/configlets on Mac OS
X, c:\FWBuilder31\resources\configlets on Windows) or in the
subdirectory "fwbuilder/configlets" in users home directory on all
OS. If configlet file is found in the home directory, it overrides
the one installed with the package. This provides for simple way
for users to override parts of the generated configuration
scripts. Currently configlets are only impletened for Linux-based
OS. Fixes #263
2009-07-30 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions):
fixes #259 Generated script should check if brctl, vconfig and
ifenslave tools are available before using them.
* Host.cpp (Host::getManagementAddress): the program failed to
retrieve ip address that should be used to talk to the fw when
management interface was subinterface. Fixes #260
* linux24advanceddialog_q.ui: Fixes #258 fixed tab order in the
dialog.
2009-07-29 vadim <vadim@vk.crocodile.org>
* linux24AdvancedDialog.cpp (linux24AdvancedDialog::linux24AdvancedDialog):
Added input fields for vconfig, brctl and ifenslave to the host
settings dialogs for linux24, linksys, ipcop, openwrt. See #256
* DiscoveryDruid.cpp (DiscoveryDruid::addInterface): Removed
obsolete checkbox "Add virtual addresses", we always discover
virtual addresses. Instead added checkbox "Add interfaces with no
ip addresses". If this option is turned on, discovery druid
creates interfaces with no ip addresses as "unnumbered". Even when
this option is off, interfaces with no addresses are created if
they are discovered to have vlan, bridge or bodning subinterfaces.
Fixes #246 and 229
* NetworkDialog.cpp (NetworkDialog::validate): Fixes #251: do not
allow 0 bit netmask for Network and NetworkIPv6 objects.
* linux24Interfaces.cpp (linux24Interfaces::rearrangeInterfaces):
Special treatment of the vlan subinterface that are members of
bridge group: snmp discovery now creates subinterfaces for these
vlan interfaces twice, first time as a child of the bridge
interface and then also as a vlan subinterface of the parent
physical interface. For example, in the confgiuration such as the
following
bridge name bridge id STP enabled interfaces
br0 8000.000c29f6bebe no eth4.102
eth5
We create interface br0 with subinterfaces eth4.102, eth5, and
also we create interface eth4 with subinterface eth4.102
* ObjectManipulator.cpp (ObjectManipulator::makeNameUnique):
duplicate names are automatically fixed only if objects with the
same name belong to the same parent. Identical names on different
levels are allowed. For example, interface "eth0" can be direct
child of a Firewall object (so it can have vlan subinterfaces) and
a member of the bridge group where it is a child of another
interface.
2009-07-28 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): remove
extra white space after tcp port spec if source port match was not
used in the rule.
* PolicyCompiler_pf.cpp (fillDirection::processNext): Applied
patch per bug report #2828633: "Patch: Warning when changing rule
direction in compiler". This adds warning when rule direction is
changed by the compiler because object in source or destination
was firewall itself.
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): Implemented
change per bug #2828602: "PF Compiler Direction Both no
Duplication Patch". PF rules with direction "both" used to be
split to make two rules, one with direction "inbound" and another
with direction "outbound". This was an artefact of old rule
generation model where user could choose to permit everything
outbound and only generate inbound rules, or generate both inbound
and outbound rules. Since we now always generate both in abd out
rules and PF matches both directions when neither "in" or "out" is
specificed, this splitting has become redundant.
* Compiler_cluster.cpp (Compiler::populateClusterElements): while
scanning interfaces-members of a failover group, use only those
that are children of the firewall that we are compiling. fixes
#242 "fwb_ipt generates duplicate automatic rules for heartbeat
and other protocols"
* FWWindow.cpp (FWWindow::disableActions): Always enable toolbar
buttons "Compile" and "Install". Fixes #249
* FirewallDialog.cpp (FirewallDialog::validate): fixes #248
"setting firewall type as empty space crashes". Note that the
combobox with firewall platforms will have separators instead of
spaces if QT version is 4.5 or above. Separators are not
selectable so this problem can not happen with late versions of
QT. Old versions of QT do not support separators in QComboBox
widget, which is why spaces are inserted in the list. This change
makes the program validate platform and host os settings and not
allow empty strings.
* RoutingRuleOptionsDialog.cpp (RoutingRuleOptionsDialog::loadFWObject):
fixes #247 - "lusters->fw->routing->insert rule->options causes
segfault". Needed to check for Firewall and Cluster types here and
in a few other places.
* instDialog_ui_ops.cpp (instDialog::completeInstallerOptions):
fixes #244: "installer does not check subinterfaces when it is
looking for management interface"
* OSConfigurator_linux24_interfaces.cpp (OSConfigurator_linux24::printVlanInterfaceConfigurationCommands):
fixes #243 - need to set naming schema for vlan interfaces in
a separate command before creating vlan interface. Doing so in
one vconfig command causes error.
* DiscoveryDruid.cpp (DiscoveryDruid::createRealObjects):
discovery druid guesses which interfaces from the list found by
SNMP crawler are vlan subinterfaces and creates them as children
of the corresponding top level interface. It also sets interface
type and vlan ID. Fixes #239 Bonding and bridge subinterfaces
are also recognized.
* DiscoveryDruid.cpp (DiscoveryDruid::createRealObjects):
discovery druid sets firewall platform and host OS using
information from sysDescr OID. fixes #241
* linux24Interfaces.cpp (linux24Interfaces::rearrangeInterfaces):
this new class implements various algorithms used to guess which
interfaces discovered by SNMP crawler might be vlan subinterfaces.
It will also find bonding and bridge interfaces. Fixes #240
2009-07-27 vadim <vadim@vk.crocodile.org>
* clusterMembersDialog.cpp (clusterMembersDialog::createMember):
support for subinterfaces as cluster group members. Fixes #235
2009-07-26 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext):
Better way to do optimization for "-i +", "-o +" for bug #2822098:
check for interfaceStr equal to "*" instead of re->isAny()
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): check all
interfaces, including subinterfaces to make sure all the ones
marked as "regular" have IP addresses.
* DialogFactory.cpp (DialogFactory::createClusterGroupOptionsDialog):
fixed bug introduced in r1208 - clicking button "Edit protocol
settings" in the failover group with type "heartbeat" failed to
open the dialog.
* PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext):
Better way to do optimization for "-i +", "-o +" for bug #2822098:
check for interfaceStr equal to "*" instead of re->isAny()
2009-07-25 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands):
the program did not create commands to add ip addresses to VLAN
subinterfaces. Fixes #226
* openaisOptionsDialog.cpp (openaisOptionsDialog::openaisOptionsDialog):
Added support for OpenAIS failover protocol in the GUI and
policy compiler for iptables. Fixes #214
* newFirewallDialog.cpp (newFirewallDialog::finishClicked): the
program left platform and os settings undefined of the new
firewall object created from template. Fixes #210
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertFailoverRule):
Policy compiler for iptables adds automatic rules for heartbeat
protocol if it is used for failover. Rules permit all udp port 694
in and out on the given interface. Refs #213
* Cluster.cpp (Cluster::getMembersList): need to scan not only
StateSyncClusterGroup child objects but also all
FailoverClusterGroup objects in order to find all member
firewalls. The program used to look only at StateSyncClusterGroup
objects, which meant it did not recognize any members if state
sync group was empty. This fixes issue #4 in the bug #2826765:
"problems and suggestions for 3.1.0-b1187".
2009-07-24 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (decideOnChainIfDstFW::processNext):
There was no rule in INPUT chain generated when cluster object was
in "destination". Fixes #215
* CompilerDriver_ipt.cpp (CompilerDriver_ipt::processPolicyRuleSet):
fixed problem #2 "duplicate rules" reported in the bug #2826765:
"problems and suggestions for 3.1.0-b1187". Compiler did not add a
call to the shell function reset_iptables_v4 to reset all chains.
* Rule.cpp (PolicyRule::getBranch): fixed problem #4 "GUI crash
when setting action to be a chain." reported in the bug #2826765:
"problems and suggestions for 3.1.0-b1187". The GUI crashed when
policy rule in the cluster policy was set to action "Chain".
2009-07-23 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::insertConntrackRule):
automatically added rules that permit conntrackd messages use
address and port configured in the protocol options for the state
sync group for the cluster, or if these are empty, default values
from the host OS xml resource file. Generated rules are configured
to go into INPUT and OUTPUT chains. Refs #212
* conntrackOptionsDialog.cpp (conntrackOptionsDialog::conntrackOptionsDialog):
make conntrackd multicast address and udp port configurable in the
protocol options dialog for conntrackd state sync protocol. Default
address and port are stored in the host OS xml resource file. Refs #212
2009-07-19 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed bug #2823951: "unnecessary rules in FORWARD chain". Policy
rules that have interface object in "Interface" column and
direction "Both" generate unnecessary iptables commands in the
FORWARD chain when destination matches one of the addresses that
belong to the firewall.
2009-07-18 vadim <vadim@vk.crocodile.org>
* RuleSetView.cpp (RuleSetView::moveRule): fixed bug #2823668:
"MDI window glitch". If the GUI had two or more MDI windows and
user moved rules in one of them, the GUI switched to another after
the operation was complete.
* resources.xml.in: Removed unused XML elements from the resource
file. A lot of the stuff was obsolete in there.
* ObjectTreeView.cpp (ObjectTreeView::updateTreeItems): New icons
for v4. Cleanup in the code to make sure we use proper icons
everywhere.
2009-07-17 vadim <vadim@vk.crocodile.org>
* linux24.xml.in: Moved tables of allowed failover and state sync
types as well as interface and subinterface types from the code in
platforms.cpp to the OS resource files in src/res/os/*.xml.in
Fixes #58
* fwbuilder.dtd.in (Library): fixed bug #2823424: "Deleting
UserService object breaks data file format". When user deleted
UserService object, it was moved to the "Deleted Objects" library
which broke XML file because DTD did not allow UserService element
as a child of Library
2009-07-16 vadim <vadim@vk.crocodile.org>
* newClusterDialog.cpp (newClusterDialog::shrinkListOfPlatforms):
clean-up in the newClusterDialog class. List of platforms shown on
the first page should include only platforms that support
clustering. Fixes #197
* FWBTree.cpp (systemObjects): system group "Clusters" moves to
the top level of the tree. Fixes #167
2009-07-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext):
fixed bug #2822098: "IPT: adds useless "-i +" iin some cases".
Added optimization to remove redundant "-i +" and "-o +" if
chain is INPUT or OUTPUT.
2009-07-14 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (singleItfNegation::processNext): fixed
bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".
* PolicyCompiler_PrintRule.cpp, NATCompiler_PrintRule.cpp: fixed
bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives
warnings". starting with v1.4.3.1 iptables started giving warnings
when negation ("!") is used after --option. This fix adds version
"1.4.3" to the list of recognized iptables versions in fwbuilder
and makes compiler generate extrapositioned version of the option
such as "! --option arg".
2009-07-13 vadim <vadim@vk.crocodile.org>
* iptAdvancedDialog.cpp (iptAdvancedDialog::iptAdvancedDialog):
fixed bug #2820840: "IPT: prolog script+iptables-restore silent
incompatibility". With this fix the GUI does not allow for the
prolog script to be placed after policy reset if iptables-restore
is used to activate iptables rules. Also policy compiler for
iptables checks for this condition and aborts with an error
message if prolog place is set to "after reset" but
iptables-restore is used to activate policy. Configuration may end
up with this combination of options if user set prolog place to
"after reset" first and switched activation method to
iptables-restore later.
* ACL.cpp (ciscoACL::addRemark): fixed bug #1778536 "IOSACL -
remark command". Remarks now include rule comments; if comment
consists of several lines, each line is added using separate
remark statement. This works for both IOS ACL and PIX platforms.
2009-07-12 vadim <vadim@vk.crocodile.org>
* printerStream.cpp (printerStream::printQTable): fix bug
#2807724: "Print out FWB still not ok". Taking into account hidden
rable rows associated with rule groups while printing rule sets.
Before this fix some rules disappeared between pages in the
printout.
2009-07-11 vadim <vadim@vk.crocodile.org>
* PrintingController.cpp (PrintingController::printRuleSet): bug
#2807724: "Print out FWB still not ok". Rule groups were always
printed expanded, even if they were collapsed by the user in the
GUI.
* OSConfigurator_openbsd.cpp (processFirewallOptions): fixed bug
#2820162 "Bad sysctl name for OpenBSD pf" - the sysctl argument
for IPv6 forwarding was incorrect.
* AddressRange.h (libfwbuilder): fixed bug #2820152: "Address
ranges and other such need IPv4/v6 typing". AddressRange object
should be recognized and removed from the rule if it is used in
ipv6 rule set. To do this, add virtual method
hasInetAddress() (should return true) to indicate that this object
has an address. This works since virtual method getAddressPtr()
has been implemented anyway.
* VERSION (VERSION): started v3.0.6
2009-07-11 vadim <vadim@vk.crocodile.org>
* FindObjectWidget.cpp (FindObjectWidget::inSelectedFirewall):
Search and replace did not work in scope "policy of opened
firewall" for cluster policies. Fixes #185
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): since
current implementation can not generate configuration commands for
interfaces of the member firewalls using attributes of the cluster
interface, disable GUI controls in the interface object dialog if
it is an interface of a cluster. fixes #187
* Summary of changes in the "interface advanced options" dialogs
for cluster interfaces. The "Advanced settings" button is now
disabled in the dialog for the main cluster interface. The code
has been changed to always check the type of the failover group
instead of the interface type where it needs to determine failover
protocol (vrrp, heartbeat or carp). All parameters of the failover
protocol should be configured using failover group object. The
"advanced options" dialog is still available for interfaces of the
real firewalls and their subinterfaces. Fixes #109, refs #180,
#183, #181, #187, #179, #163
2009-07-09 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24_interfaces.cpp (printInterfaceConfigurationCommands):
user can now add loopback interface to the cluster object and use
it in rules. This interface does not have failover group and has
the usual 127.0.0.1/8 ip address. fixes #163
* OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces):
ref #181: using failover group type instead of cluster interface
type.
* newClusterDialog.cpp (newClusterDialog::finishClicked): ref
#183: set type of the cluster intrfaces to "cluster_intrface".
Before, new cluster wizard unconditionally set it to "vrrp". Still
need to add dialog elements to let user choose failover protocol.
* linux24IfaceOptsDialog.cpp (linux24IfaceOptsDialog::linux24IfaceOptsDialog):
fixes #180: hide "interface type" gui element from the "advanced"
interface options dialog for the main interfaces of cluster
objects. These interfaces have no parameters and their type always
matches the type of failover cluster group object. All parameters
of the failover protocol are set in the dialog of the failover
group.
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): ref #180 :
disable "Advanced settings" button in the interface object
dialog if it is main intrface of a cluster object.
2009-06-29 Vadim Kurland <vadim@vk.crocodile.org>
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Compiler
checks types of state sync and failover groups and aborts if
it finds unsupported type. Fixes #164
* ClusterDialog.cpp (ClusterDialog::resetClusterGroupTypes): fix
types of state sync and failover groups when user changes host OS
and/or platform. Fixes #164
2009-06-28 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24_interfaces.cpp (printBondingInterfaceConfigurationCommands):
Support for intrface bonding for generic Linux firewall.
"Advanced" interface settings dialog provides three interface types:
"vlan", "bridge", "bonding". For bonding interfaces, GUI controls
are provided for the following parameters: mode, xmit_hash_policy
and a free-style single line input field for other driver options.
Fixes #172
* platforms.cpp (getInterfaceTypes): Support for "heartbeat"
failover protocol in clusters: "heartbeat" interface type,
"heartbeat" failover group type. Compiler adds rules to permit
vrrp only when failover type is set to "vrrp". For "heartbeat"
failover no rules are added atm. Fixes #169
* Compiler_cluster.cpp (Compiler::processFailoverGroup): (change
in libfwbuilder) fixes #166: cluster should be allowed to have
interfaces with the same name as interfaces of the member
firewall (i.e. "eth0"). This is necessary to support failover
protocols that do not create virtual interfaces, but rather
operate over normal interfaces, such as heartbeat.
2009-06-23 vadim <vadim@vk.crocodile.org>
* pfAdvancedDialog.cpp (pfAdvancedDialog::pfAdvancedDialog): force
the tab widget to open tab 0 on creation of the dialog. Often
after the dialog was modified in Designer, it is left in the state
when it opens on some random page. This fixes #155 "pf advanced
settings dialog opens on tab "Script" by default"
* OSConfigurator_bsd.h: common class for all supported BSD-like
host OS (freebsd, openbsd, macosx). Using common base class to
avoid code duplication. This fixes #162 "ifconfig commands to
create carp and pfsync interfaces are not generated for FreeBSD".
* ClusterGroupDialog.cpp (ClusterGroupDialog::addIcon): fixes #161:
pfsync protocol does not require "master" setting in cluster group.
* clusterMembersDialog.cpp (clusterMembersDialog::availableClicked):
Let user click in any column of the list except the very first to
select interface to be added to the list of cluster group members.
* clusterMembersDialog.cpp (clusterMembersDialog::updateAvailableTree):
fixes #111 "Member dialog should keep the tree on the left hand
side expanded all the time". The left hand side panel used to
collapse all available firewalls, thus hiding their interfaces
from view every time user added an interface to the right hand
side panel.
* CompilerDriver.cpp (CompilerDriver::configure): Using separator
"," between fw object id and file name instead of ':' which was a
poor choice because it is part of the file path on Windows. Fixes #157
* CompilerDriver_pf.cpp (CompilerDriver_pf::getConfFileName): Using
QT classes QFileInfo and QDir to manipulate output file names
and paths portably.
* freebsd.xml.in: Support CARP/pfsync clusters on FreeBSD.
2009-06-19 vadim <vadim@vk.crocodile.org>
* release_notes_3.1.0_en_US.html: fixes #146: A warning telling
the user that the way bridging interfaces should be configured has
changed. Uses a one-time dialog created per #145. Refs #145 #147.
* FWWindow.cpp (FWWindow::startupLoad): Fixes #145: universal
facility for a one-time dialog shown to the user on program start.
These dialogs will have important information about the
release. Dialog is shown once for each version.
2009-06-18 vadim <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (newFirewallDialog::newFirewallDialog):
Fixes #90: Interface attribute "bridgeport" has been deprecated,
removing GUI controls in the new firewall dialog and interface
dialog.
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): Fixes #143:
If inetrface is a bridge port, then GUI elemnts "regular",
"dynamic" "unnumbered" should be disabled b/c it can not have an
ip address. Instead, showing text label "Bridge Port Interface".
* ObjectManipulator.cpp (ObjectManipulator::relocateTo):
Implemented drag&drop function to move objects from one place in
the tree to another. Dragging with Ctrl button pressed creates a
copy. Fixes #141.
2009-06-17 vadim <vadim@vk.crocodile.org>
* v3.0.5 released in the main production branch
2009-06-14 vadim <vadim@vk.crocodile.org>
* InterfaceDialog.cpp (InterfaceDialog::loadFWObject): Ticket #55:
(libfwbuilder) deprecated isExt() and setExt() methods. Platforms
that care about interface being external should use security
levels. Currently this is only PIX and it uses sec. levels
already. Also removed dialog element in InterfaceDialog class
and references to these methods elsewhere. Compilers did not
use the flag "ext" already.
2009-06-11 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule):
@ -88,8 +1244,44 @@
care of the situation when group A referenced group B, which in
turn referenced group A again.
* OSConfigurator_linux24_interfaces.cpp (OSConfigurator_linux24::printBridgeInterfaceConfigurationCommands):
implemented support for bridge configuration on Linux using brctl
tool. Of bridge options only "stp on" is supported, it turns on
STP protocol support on the bridge.
2009-06-02 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::configureInterfaces):
implemented support for VLAN interfaces for Linux24 host os.
Generated script uses "vconfig" to create and configure vlan
interfaces. GUI provides elements for VLAN ID and VLAN interface
name type (VLAN_PLUS_VID (vlan0005), VLAN_PLUS_VID_NO_PAD (vlan5),
DEV_PLUS_VID (eth0.0005), DEV_PLUS_VID_NO_PAD (eth0.5). Compiler
verifies that the name of the vlan interface object matches
requested name type.
2009-06-01 vadim <vadim@vk.crocodile.org>
* OSConfigurator_openbsd.cpp (OSConfigurator_openbsd::configureInterfaces):
implemented support for pfsync interface configuration for
OpenBSD. Unicast communication method can be configured using
checkbox in the pfsync protocol options dialog. Compiler generates
ifconfig commands to configure pfsync virtual interfaces if
checkbox "Configure pfsync interfaces" is turned on in the pf
"advanced" settings dialog. Only one pfsync interface per firewall
is supported (pfsync0), only with IPv4 addresses.
* OSConfigurator_openbsd.cpp (OSConfigurator_openbsd::configureInterfaces):
implemented support for CARP interface configuration for OpenBSD.
Generated script uses ifconfig to create and configure carpN
interfaces. The script is added only if option "Configure CARP
interfaces" is turned on in the "advanced" settings dialog for PF.
Currently only IPv4 addresses are supported and only one address
per CARP interface is configured. CARP password and VHID are
defined in the failover protocol settings dialog that user can open
by clicking "Protocol parameters" button in the Failover group
object dialog.
* newHostDialog.cpp (newHostDialog::selectedInterface): fixed the
same error reported in bug #2799163: "crash on correcting an
error". The GUI crashed if user tried to add, then delete
@ -127,6 +1319,11 @@
running copies. Copy/Paste and Drag&Drop between separate copies
are not supported at this time.
2009-05-30 vadim <vadim@vk.crocodile.org>
* CompilerDriver_pf_run.cpp (CompilerDriver_pf::run): ref #22:
compiler for PF uses CompilerDriver class.
2009-05-29 vadim <vadim@vk.crocodile.org>
* newFirewallDialog.cpp (newFirewallDialog::finishClicked): better
@ -260,16 +1457,80 @@
support for Secuwall and is easier to maintain than separate
platform-os pairs for each appliance.
2009-05-08 vadim <vadim@vk.crocodile.org>
* clusterMembersDialog.h (class clusterMembersDialog): Renamed
class and module secuwallClusterConfDialog to
clusterMembersDialog. This dialog is generic and is not specific
to secunet wall in any way. This fixes #13.
* PolicyCompiler_ipt.cpp (removeFW::processNext): fixes #15: using
Compiler::isFirewallOrCluster to match object in rules to both
firewall or it parent cluster. This helps compiler idenitify
cluster in rules and choose correct chains (INPUT/OUTPUT) as if
firewall object was there.
* CompilerDriver.cpp (CompilerDriver::determineOutputFileName):
this method implements logic that extracts enforced output file
names from command line parameters of the compiler or determines
these names automatically.
* instDialog_compile.cpp (instDialog::prepareArgForCompiler):
While compiling firewall cluster, passing output file name to the
compiler using "-O" command line option. The old option "-o" is
preserved for backwards compatibility and is used while compiling
stand-alone firewall objects.
2009-05-07 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::createTreeItem): dialog that
lists firewalls and clusters for compilation and installation puts
checkbox for compile next to a cluster and checkbox for install
next to a real firewall. Checkboxes are pre-checked if
corresponding objects require compilation and installtion. Mutual
dependencies between cluster and its members are tracked. this
fixes #19
* ipt.cpp (main): Policy compiler for iptables accepts either
Firewall or Cluster object as an argument. If Cluster is
specified, compiler runs itself several times, generating script
for each member firewall. Object can be defined by its name or ID
as before. This fixes #18.
* CompilerDriver.h (class CompilerDriver): Introduced class
CompilerDriver that controls invocation of Policy, Mangle, NAT and
Routing compilers for one firewall. The firewall may be part of a
cluster, in which case we create several objects of this class and
process each member firewall separately.
* PolicyCompiler_secuwall.cpp (PolicyCompiler_secuwall::addMgmtRule):
fixes #16: using RuleSet::insertRuleAtTop with arg hidden_rule to
make automatic rules added for secunet wall "hidden". This way,
these rules are ignored during shadowing detection and their
position numbers are forced negative so that position numbers of
regular rules do not change.
2009-05-06 vadim <vadim@vk.crocodile.org>
* FirewallInstallerCisco.cpp (FirewallInstallerCisco::activatePolicy):
fixed bug #2787932 "External install script is not supported for
PIX".
* fixed bug #2787857: "b847 crashes on Start". v3.0.5 build 847
links with QtDBus framework as part of the future development but
the framework file was not included in the bundle. This caused
crash on Mac OS X.
2009-05-04 vadim <vadim@vk.crocodile.org>
* instDialog_ui_ops.cpp (instDialog::fillCompileSelectList):
dialog that shows list of firewalls for compilation and
installation now uses QTreeWidget and displays firewall clusters
and corresponding member firewalls as branches in the tree. The
rest of the functionality remains the same as before. If user
selected a cluster object in the object tree and clicked "Compile"
in its context menu, only member firewalls of this clusters are
going to be checked for compilation. Clicking "Compile" toolbar
button or main menu selects all firewalls for compilation as
before. Cluster objects can not be selected (do not have
checkboxes in the widget) because compiler and installer works
with actual firewall objects rather than cluster objects. This
fixes ticket #7.
2009-05-02 vadim <vadim@vk.crocodile.org>
@ -312,6 +1573,16 @@
group". The GUI crashed if user clicked and dragged mouse inside
empty list of group members in the dialog of the new group object.
2009-04-17 vadim <vadim@vk.crocodile.org>
* ClusterDialog.cpp (ClusterDialog::ClusterDialog): Support for
clusters of firewalls
* Merging patches from Secunet Security Networks AG to add support
for Secuwall firewall.
* VERSION: start v3.1.0 branch v3_1_secunet
2009-04-15 vadim <vadim@vk.crocodile.org>
* ipcopAdvancedDialog.cpp (ipcopAdvancedDialog::ipcopAdvancedDialog):

196
doc/README.cluster Normal file
View File

@ -0,0 +1,196 @@
Firewall Builder Clustering Add-On
==================================
Copyright (c) 2009 secunet Security Networks AG, Germany
Copyright (c) 2009 Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Copyright (c) 2009 Reto Buerki <buerki@swiss-it.ch>
Index
-----
1 - Introduction
2 - Definition
3 - Usage
4 - Example
5 - Things to consider
6 - References
Introduction
------------
The Firewall Builder Clustering Add-On provides the possibility to manage
multiple firewall objects together as one Cluster object. Cluster objects are
used to configure HA (High Availability) features like conntrack [1] and VRRP [2]
(Virtual Router Redundancy Protocol).
Definition
----------
In the context of this Add-On a 'cluster' object is regarded as a meta-object
grouping multiple firewall objects. This allows for a much simpler and convenient
configuration of a HA scenario. The configuration is done once for the meta-object
'Cluster' and automatically compiled and distributed for each cluster member firewall.
[cluster] (meta-object)
|
|
+-----------------+-----------------+
| | |
[fw1] (object) [fw2] (object) [fwX] (object)
Usage
-----
To use the clustering feature, you need to create firewalls which will be part
of a HA cluster and create the cluster itself. The following two sections
describe the necessary steps.
Firewall configuration
~~~~~~~~~~~~~~~~~~~~~~
Make sure that all firewalls of a cluster use the same host OS and platform. The
host OS and platform of all cluster member firewalls must match the one
specified for the cluster itself.
The following diagram defines two firewalls configured appropriately as cluster
members:
[fw1] [OS: secunet wall, Platform: iptables]
|
+---o eth0: outside (ext)
| +---o IP: 172.24.0.2/255.255.0.0
|
+---o eth1: inside
+---o IP: 192.168.1.2/255.255.255.0
[fw2] [OS: secunet wall, Platform: iptables]
|
+---o eth0: outside (ext)
| +---o IP: 172.24.0.3/255.255.0.0
|
+---o eth1: inside
+---o IP: 192.168.1.3/255.255.255.0
Both firewalls have an outside and an inside interface. In a cluster scenario,
these interfaces will be combined to a redundant VRRP cluster interface.
VRRP requires all interfaces joined to a VRRP group to be in the same subnet,
with unique IP addresses.
Cluster configuration
~~~~~~~~~~~~~~~~~~~~~
Now it's time to create a Cluster object which will act as meta-object for fw1
and fw2:
[cluster1] [OS: secunet wall, Platform: iptables]
|
+---o vrrp0: outside (ext)
| +---o IP: 172.24.0.1/255.255.0.0
| +---o Failover group0 (vrrp)
|
+---o vrrp1: inside (mgmt)
| +---o IP: 192.168.1.1/255.255.255.0
| +---o Failover group1 (vrrp)
|
+---o State synchronization group (conntrack)
Use the 'Manage Members' button to add firewall interfaces to the failover and
state synchronization groups of the cluster. Additionally you need to specify
which firewall interface is to act as master of the group.
The firewall interfaces added to the state synchronization group will be used to
keep the state information of the cluster members in sync. Typically the
internal management interfaces are chosen as members of the conntrack group.
For all cluster groups the IP addresses of it's firewall member interfaces have
to be in the same subnet and the subnet mask must be identical to the one of the
cluster interface.
The following table shows the mapping of interfaces to cluster groups for our
example configuration:
+-----------------+--------------------+
| group | mapped interfaces |
+-----------------+--------------------+
| State sync | fw1:eth1, fw2:eth1 |
| Failover group0 | fw1:eth0, fw2:eth0 |
| Failover group1 | fw1:eth1, fw2:eth1 |
+-----------------+--------------------+
NAT/Policy/Routing Rules
~~~~~~~~~~~~~~~~~~~~~~~~
NAT, policy and routing rules are configured on the cluster meta-object. Rules
are specified in the usual manner. Use the cluster object or it's interfaces as
rule elements as you would for a regular firewall.
NOTE: Rules defined on cluster member firewalls will be ignored on compilation,
only the rules defined on the cluster object are considered.
Compilation/Installation/Export
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It's possible to compile, install and export firewalls which are part of a
cluster the usual way by selecting a single firewall and the corresponding
action (Compile/Install/Export).
If you perform such an action on the cluster meta-object, all member firewalls
will be selected automatically. Thus the cluster object provides a convenient
way to perform actions on all cluster member firewalls.
Cluster template
~~~~~~~~~~~~~~~~
This Add-On includes Cluster templates which can be used as starting point for
complex cluster configurations. Enable the 'Use preconfigured template cluster
object' checkbox when creating a new cluster object to use these templates.
Example
-------
The scenario described in this README can be found as example Firewall Builder
file here [3].
Things to consider
------------------
* Host OS and platform of firewall members must match OS and platform of the
cluster.
* Cluster member firewalls must have at least one physical interface attached.
* Rules must be configured on the Cluster meta-object. Rules for cluster member
firewalls are ignored.
* All IP addresses of interfaces added to a cluster group must be in the same
subnet.
* All addresses of a cluster group must be unique.
* Cluster interface names must be unique per cluster.
References
----------
[1] - http://conntrack-tools.netfilter.org/
[2] - RFC3768 - Virtual Router Redundancy Protocol (VRRP)
[3] - doc/cluster_examples.fwb

266
doc/cluster_examples.fwb Normal file
View File

@ -0,0 +1,266 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="12" lastModified="1244032500" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="id1495X26217" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1502X26217" name="Clusters" comment="" ro="False">
<Cluster id="id2835X30406" host_OS="secuwall" inactive="False" lastCompiled="1244034211" lastInstalled="0" lastModified="1244034079" platform="iptables" name="cluster1" comment="This cluster has two interfaces. vrrp0 faces outside; vrrp1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. The firewall uses one of the machines on the external network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, external network with 172.24.0.0/255.255.0.0. Outside vrrp0 cluster interface has address 172.24.0.1/255.255.0.0; inside vrrp1 interface has address 192.168.1.1/255.255.255.0. This cluster has two firewall members configured: fw1 and fw2." ro="False">
<NAT id="id2839X30406" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2838X30406" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id7725X31743" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="id2835X30406"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id2843X30406"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4654X31417" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4482X31743" disabled="False" group="" log="True" position="2" action="Accept" direction="Both" comment="firewall uses one of the machines on external network for DNS">
<Src neg="False">
<ObjectRef ref="id2835X30406"/>
</Src>
<Dst neg="True">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id2843X30406"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4386X31417" disabled="False" log="True" position="3" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id2840X30406" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id2843X30406" dyn="False" label="outside" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2844X30406" name="cluster1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id2846X30406" master_iface="id1522X26217" type="vrrp" name="cluster1:vrrp0:members" comment="">
<ObjectRef ref="id1522X26217"/>
<ObjectRef ref="id2830X30406"/>
<ClusterGroupOptions>
<Option name="vrrp_secret">my_secret</Option>
<Option name="vrrp_vrid">1</Option>
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<Interface id="id2848X30406" dyn="False" label="inside" security_level="0" unnum="False" unprotected="False" name="vrrp1" comment="" ro="False">
<IPv4 id="id2849X30406" name="cluster1:vrrp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id2851X30406" master_iface="id1524X26217" type="vrrp" name="cluster1:vrrp1:members" comment="">
<ObjectRef ref="id1524X26217"/>
<ObjectRef ref="id2832X30406"/>
<ClusterGroupOptions>
<Option name="vrrp_secret">my_secret</Option>
<Option name="vrrp_vrid">2</Option>
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<FirewallOptions/>
<StateSyncClusterGroup id="id2841X30406" master_iface="id1524X26217" type="conntrack" name="State Sync Group" comment="">
<ObjectRef ref="id1524X26217"/>
<ObjectRef ref="id2832X30406"/>
<ClusterGroupOptions/>
</StateSyncClusterGroup>
</Cluster>
</ObjectGroup>
<ObjectGroup id="id1496X26217" name="Objects" comment="" ro="False">
<ObjectGroup id="id1497X26217" name="Addresses" comment="" ro="False"/>
<ObjectGroup id="id1498X26217" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id1499X26217" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id1500X26217" name="Groups" comment="" ro="False"/>
<ObjectGroup id="id1501X26217" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="id1503X26217" name="Networks" comment="" ro="False"/>
<ObjectGroup id="id1504X26217" name="Address Ranges" comment="" ro="False"/>
</ObjectGroup>
<ServiceGroup id="id1505X26217" name="Services" comment="" ro="False">
<ServiceGroup id="id1506X26217" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id1507X26217" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id1508X26217" name="IP" comment="" ro="False"/>
<ServiceGroup id="id1509X26217" name="TCP" comment="" ro="False"/>
<ServiceGroup id="id1510X26217" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id1511X26217" name="Users" comment="" ro="False"/>
<ServiceGroup id="id1512X26217" name="Custom" comment="" ro="False"/>
<ServiceGroup id="id1513X26217" name="TagServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id1514X26217" name="Firewalls" comment="" ro="False">
<Firewall id="id1516X26217" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244032311" platform="iptables" version="" name="fw1" comment="This firewall has two interfaces. eth0 faces outside and has a static address of 172.24.0.2/255.255.0.0; eth1 faces inside with an address of 192.168.1.2/255.255.255.0. This firewall is a member of cluster 'cluster1'." ro="False">
<NAT id="id1520X26217" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id1519X26217" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id1521X26217" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id1522X26217" dyn="False" label="outside" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id1523X26217" name="fw1:eth0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.0.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="iface_type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Interface id="id1524X26217" dyn="False" label="inside" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id1525X26217" name="fw1:eth1:ip" comment="" ro="False" address="192.168.1.2" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="iface_type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="check_shading">true</Option>
<Option name="configure_interfaces">true</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id2824X30406" host_OS="secuwall" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1244032419" platform="iptables" version="" name="fw2" comment="This firewall has two interfaces. eth0 faces outside and has a static address of 172.24.0.3/255.255.0.0; eth1 faces inside with an address of 192.168.1.3/255.255.255.0. This firewall is a member of cluster 'cluster1'." ro="False">
<NAT id="id2828X30406" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id2827X30406" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id2829X30406" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id2830X30406" dyn="False" label="outside" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id2831X30406" name="fw2:eth0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.0.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="iface_type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Interface id="id2832X30406" dyn="False" label="inside" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id2833X30406" name="fw2:eth1:ip" comment="" ro="False" address="192.168.1.3" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="iface_type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="check_shading">true</Option>
<Option name="configure_interfaces">true</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="secuwall_add_files">False</Option>
<Option name="secuwall_add_files_dir">/opt/secuwall/templates/default</Option>
<Option name="secuwall_dns_reso1">files</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id1515X26217" name="Time" comment="" ro="False"/>
</Library>
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
<ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
</ObjectGroup>
</ObjectGroup>
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
</ServiceGroup>
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
<TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
</ServiceGroup>
</ServiceGroup>
</Library>
</FWObjectDatabase>

1
doc/doc.pro
View File

@ -48,6 +48,7 @@ man.files = fwbedit.1 \
fwb_ipt.1 \
fwb_pf.1 \
fwb_pix.1 \
export_secuwall.1 \
# fwb_install.1 \
# fwb_compile_all.1 \

1254
doc/examples.fwb
View File

@ -1,446 +1,1406 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="2.1.5" lastModified="1150430669" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="11" id="root">
<Library color="#d2ffd0" id="id449356F828075" name="User">
<ObjectGroup id="id449356F928075" name="Objects">
<ObjectGroup id="id449356FA28075" name="Addresses"/>
<ObjectGroup id="id449356FB28075" name="DNS Names"/>
<ObjectGroup id="id449356FC28075" name="Address Tables"/>
<ObjectGroup id="id449356FD28075" name="Groups"/>
<ObjectGroup id="id449356FE28075" name="Hosts">
<ObjectGroup id="id449356F928075_clusters" name="Clusters"/>
<ObjectGroup id="id449356FA28075" name="Addresses"/><ObjectGroup id="id449356FB28075" name="DNS Names"/><ObjectGroup id="id449356FC28075" name="Address Tables"/><ObjectGroup id="id449356FD28075" name="Groups"/><ObjectGroup id="id449356FE28075" name="Hosts">
<Host comment="This object represents a PC with a single network interface" id="id44935FEF28075" name="server">
<Interface bridgeport="False" dyn="False" id="id44935FF128075" label="" name="eth0" security_level="0" unnum="False">
<IPv4 address="192.168.1.1" comment="" id="id44935FF228075" name="server:eth0:ip" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
</ObjectGroup><ObjectGroup id="id449356FF28075" name="Networks"/><ObjectGroup id="id4493570028075" name="Address Ranges"/>
</ObjectGroup>
<ObjectGroup id="id449356FF28075" name="Networks"/>
<ObjectGroup id="id4493570028075" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id4493570128075" name="Services">
<ServiceGroup id="id4493570228075" name="Groups"/>
<ServiceGroup id="id4493570328075" name="ICMP"/>
<ServiceGroup id="id4493570428075" name="IP"/>
<ServiceGroup id="id4493570528075" name="TCP"/>
<ServiceGroup id="id4493570628075" name="UDP"/>
<ServiceGroup id="id4493570728075" name="Custom"/>
<ServiceGroup id="id4493570128075_userservices" name="Users"/>
<ServiceGroup id="id4493570228075" name="Groups"/>
<ServiceGroup id="id4493570328075" name="ICMP"/>
<ServiceGroup id="id4493570428075" name="IP"/>
<ServiceGroup id="id4493570528075" name="TCP"/>
<ServiceGroup id="id4493570628075" name="UDP"/>
<ServiceGroup id="id4493570728075" name="Custom"/>
<ServiceGroup id="id4493570828075" name="TagServices">
<TagService comment="" id="id44935FFA28075" name="tag-isp1" tagcode="1"/>
<TagService comment="" id="id44935FFB28075" name="tag-isp2" ro="False" tagcode="2"/>
<TagService comment="" id="id44935FFB28075" name="tag-isp2" ro="False" tagcode="2"/>
</ServiceGroup>
</ServiceGroup>
</ServiceGroup>
<ObjectGroup id="id4493570928075" name="Firewalls">
<Firewall comment="this firewall demonstrates technique for the redundant Internet connection through two different ISPs. Firewall provides outgoing access for hosts on internal network through ISP1 and allows access to a server on internal net using NAT through IP addresses provided by both ISPs." host_OS="linux24" id="id44935AA428075" inactive="False" lastCompiled="1150429960" lastInstalled="0" lastModified="1150430669" name="example1" platform="iptables" ro="False" version="">
<NAT id="id44935B3E28075">
<NAT top_rule_set="True" id="id44935B3E28075" name="NAT">
<NATRule comment="Translate source address&#10;for outgoing connections" disabled="False" id="id44935B4D28075" position="0">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id44935B6E28075"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id44935B5C28075" position="1">
<NATRule disabled="False" id="id44935B5C28075" position="1">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id44935B7428075"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id44935FEF28075"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule disabled="False" id="id4493621228075" position="2">
<NATRule disabled="False" id="id4493621228075" position="2">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id44935B6E28075"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id44935FEF28075"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id44935AAA28075">
</NAT>
<Policy top_rule_set="True" id="id44935AAA28075" name="Policy">
<PolicyRule action="Tag" direction="Inbound" disabled="False" id="id44935B8828075" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="id44935B6E28075"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">True</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="tagvalue">1</Option>
<Option name="rule_name_accounting"/>
<Option name="tagobject_id">id44935FFA28075</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Tag" direction="Inbound" disabled="False" id="id44935FFD28075" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="id44935B7428075"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">True</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_oif"/>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="tagvalue">2</Option>
<Option name="rule_name_accounting"/>
<Option name="tagobject_id">id44935FFB28075</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" direction="Both" disabled="False" id="id4493608A28075" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id44935FFA28075"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif">eth1</Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif">eth1</Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" direction="Both" disabled="False" id="id4493609728075" log="False" position="3">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="id44935FFB28075"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif">eth2</Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="action_on_reject"/>
<Option name="branch_anchor_name"/>
<Option name="branch_chain_name"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif">eth2</Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"/>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4493613C28075" log="False" position="4">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="id44935FEF28075"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4493615428075" log="False" position="5">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule action="Deny" disabled="False" id="id44935B3228075" log="True" position="6">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id44935B6A28075"/>
<Interface bridgeport="False" comment="this interface is internal, it is connected to LAN behind the firewall" dyn="False" id="id44935B6B28075" label="" mgmt="True" name="eth0" security_level="100" unnum="False">
</Policy>
<Routing top_rule_set="True" id="id44935B6A28075" name="Routing">
</Routing>
<Interface bridgeport="False" comment="this interface is internal, it is connected to LAN behind the firewall" dyn="False" id="id44935B6B28075" label="" mgmt="True" name="eth0" security_level="100" unnum="False">
<IPv4 address="192.168.1.1" comment="" id="id44935B6D28075" name="example1:eth0:ip" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="first external interface connected to ISP1" dyn="False" id="id44935B6E28075" label="" mgmt="False" name="eth1" security_level="0" unnum="False">
<Interface bridgeport="False" comment="first external interface connected to ISP1" dyn="False" id="id44935B6E28075" label="" mgmt="False" name="eth1" security_level="0" unnum="False">
<IPv4 address="192.0.2.1" comment="" id="id44935B7028075" name="example1:eth1:ip" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="loopback interface" dyn="False" id="id44935B7128075" label="" mgmt="False" name="lo" security_level="100" unnum="False">
<Interface bridgeport="False" comment="loopback interface" dyn="False" id="id44935B7128075" label="" mgmt="False" name="lo" security_level="100" unnum="False">
<IPv4 address="127.0.0.1" comment="" id="id44935B7328075" name="example1:lo:ip" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="the second external interface, connected to ISP2" dyn="False" id="id44935B7428075" label="" mgmt="False" name="eth2" security_level="0" unnum="False">
<Interface bridgeport="False" comment="the second external interface, connected to ISP2" dyn="False" id="id44935B7428075" label="" mgmt="False" name="eth2" security_level="0" unnum="False">
<IPv4 address="192.0.3.1" comment="" id="id44935B7628075" name="example1:eth2:ip" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.1">
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id4493570A28075" name="Time"/>
</Library>
<Library id="sysid99" name="Deleted Objects" ro="False">
<ObjectRef ref="id3DC75CE7-2"/>
</Library>
<Library color="#d4f8ff" comment="Standard objects" id="syslib000" name="Standard" ro="False">
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService comment="Any IP Service" id="sysid1" name="Any" protocol_num="0"/>
<AnyInterval comment="Any Interval" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
<ServiceGroup id="stdid05" name="Services">
<ServiceGroup id="stdid09" name="TCP">
<ServiceGroup id="stdid05_userservices" name="Users"/>
<ServiceGroup id="stdid09" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="80" dst_range_start="80" fin_flag="False" fin_flag_mask="False" id="tcp-HTTP" name="http" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="25" dst_range_start="25" fin_flag="False" fin_flag_mask="False" id="tcp-SMTP" name="smtp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
</ServiceGroup>
</ServiceGroup>
</ServiceGroup>
<ObjectGroup id="stdid01" name="Objects">
<ObjectGroup id="stdid01_clusters" name="Clusters"/>
<ObjectGroup id="stdid03" name="Networks">
<Network comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" id="id3DC75CE7-1" name="net-192.168.1.0" address="192.168.1.0" netmask="255.255.255.0"/>
<Network comment="192.168.2.0/24 - Address often used for home and small office networks.&#10;" id="id3DC75CE7-2" name="net-192.168.2.0" address="192.168.2.0" netmask="255.255.255.0"/>
</ObjectGroup>
</ObjectGroup>
</ObjectGroup>
</Library>
</FWObjectDatabase>

77
doc/transfer_secuwall.1 Normal file
View File

@ -0,0 +1,77 @@
.\" Title: transfer_secuwall
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
.\" Date: 06/23/2009
.\" Manual:
.\" Source:
.\"
.TH "TRANSFER_SECUWALL" "1" "06/23/2009" "" ""
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
transfer_secuwall \- secunet wall configuration export utility
.SH "SYNOPSIS"
\fBtransfer_secuwall\fR [\-l] [\-h] [\-a] \-v \fIvolumeid\fR [\-f \fIfilename\&.xml\fR] [\-d \fIworkdir\fR] \fIfirewall_object_name\fR
.sp
The switches \-a, \-f and \-d are optional\&. If they are not specified, the appropriate defaults are used\&.
.sp
.SH "DESCRIPTION"
transfer_secuwall(1) is a helper utility to compress and export secunet wall host OS specific firewall configuration to a portable device\&.
.sp
It is also capable of searching and displaying all transfer devices of a system which are suitable for config transfer\&.
.sp
.SH "OPTIONS"
.PP
\fB\-l\fR
.RS 4
List all portable devices of the system\&.
.RE
.PP
\fB\-h\fR
.RS 4
Display help text\&.
.RE
.PP
\fB\-a\fR
.RS 4
Append firewall object name to transfer tarball\&. The default is
\fBfalse\fR\&.
.RE
.PP
\fB\-v\fR
.RS 4
Transfer partition\&. Specifies the destination partition for firewall configuration export (e\&.g\&. /dev/sdc1)\&.
.RE
.PP
\fB\-f\fR
.RS 4
Firewall Builder XML file with object definition of firewall to export config\&. If not specified, the filename will be constructed from the
\fIworkdir\fR
and
\fIfirewall_object_name\fR
values:
\fIworkdir\fR
+
\fIfwobjectname\fR
+ \&.fwb
.RE
.PP
\fB\-d\fR
.RS 4
Defines the working directory\&. If not specified, the current directory will be used\&.
.RE
.PP
\fIfirewall_object_name\fR
.RS 4
Firewall object name\&.
.RE
.SH "EXAMPLES"
$ transfer_secuwall \-f /tmp/cluster\&.fwb \-d /tmp \-v /dev/sdc1 fw3
.sp
This will export the configuration of secunet wall firewall \fBfw3\fR to the partition \fB/dev/sdc1\fR, using the Firewall Builder XML file \fBcluster\&.fwb\fR in the working directory \fB/tmp\fR\&.
.sp
.SH "AUTHOR"
Written by Reto Buerki <buerki@swiss\-it\&.ch>\&.
.sp

65
doc/transfer_secuwall.1.txt Normal file
View File

@ -0,0 +1,65 @@
TRANSFER_SECUWALL(1)
====================
NAME
----
transfer_secuwall - secunet wall configuration export utility
SYNOPSIS
--------
*transfer_secuwall* [-l] [-h] [-a] -v 'volumeid' [-f 'filename.xml'] [-d 'workdir'] 'firewall_object_name'
The switches -a, -f and -d are optional. If they are not specified, the
appropriate defaults are used.
DESCRIPTION
-----------
transfer_secuwall(1) is a helper utility to compress and export secunet wall host
OS specific firewall configuration to a portable device.
It is also capable of searching and displaying all transfer devices of a system
which are suitable for config transfer.
OPTIONS
-------
*-l*::
List all portable devices of the system.
*-h*::
Display help text.
*-a*::
Append firewall object name to transfer tarball. The default is *false*.
*-v*::
Transfer partition. Specifies the destination partition for firewall configuration export (e.g. /dev/sdc1).
*-f*::
Firewall Builder XML file with object definition of firewall to export config.
If not specified, the filename will be constructed from the 'workdir' and 'firewall_object_name' values:
'workdir' \+ 'fwobjectname' \+ .fwb
*-d*::
Defines the working directory. If not specified, the current directory will be used.
'firewall_object_name'::
Firewall object name.
EXAMPLES
--------
$ transfer_secuwall -f /tmp/cluster.fwb -d /tmp -v /dev/sdc1 fw3
This will export the configuration of secunet wall firewall *fw3* to the
partition */dev/sdc1*, using the Firewall Builder XML file *cluster.fwb* in the
working directory */tmp*.
AUTHOR
------
Written by Reto Buerki <buerki@swiss-it.ch>.

9
qmake.inc.in
View File

@ -1,6 +1,6 @@
#-*- mode: makefile; tab-width: 4; -*-
#
######### fwbuilder/qmake.inc.in
########## fwbuilder/qmake.inc.in
#
QTDIR = $$(QTDIR)
TEMPLATE = app
@ -20,6 +20,7 @@ unix {
ANTLR_INCLUDEPATH = @ANTLR_INCLUDEPATH@
ANTLR_LIBS = @ANTLR_LIBS@
FWBPARSER_LIB = ../parsers/libfwbparser.a
FWTRANSFER_LIB = ../fwtransfer/libfwtransfer.a
QMAKE_CXX = @CCACHE@ g++
@ -47,8 +48,10 @@ unix {
res.path = @RES_DIR@
res_os.path = @RES_DIR@/os/
res_platform.path = @RES_DIR@/platform/
res_help.path = @RES_DIR@/help/
res_desktop.path = @DATADIR@/applications/
res_help_C.path = @RES_DIR@/help/C
res_help_en_US.path = @RES_DIR@/help/en_US
res_configlets_linux24.path = @RES_DIR@/configlets/linux24
INSTALLS += res
INSTALLS += res_os
@ -58,6 +61,8 @@ unix {
PKGLOCALEDIR = $$res.path/locale
LIBS += $$LIBS_FWBUILDER @LIBS@
CONFIG += warn_on debug
QMAKE_CFLAGS_DEBUG += -Wno-unused-parameter
QMAKE_CFLAGS_RELEASE += -Wno-unused-parameter

37
src/cisco_lib/ACL.cpp
View File

@ -36,18 +36,37 @@ string ciscoACL::addLine(const std::string &s)
return printLastLine();
}
/*
* Adds remark to access list. Checks and adds each remark only
* once. We use rule labels for remarks
*/
string ciscoACL::addRemark(const std::string &rl)
/*
* Adds remark to access list. Checks and adds each remark only
* once. We use rule labels for remarks
*/
string ciscoACL::addRemark(const std::string &rl, const std::string &comment)
{
if (_last_rule_label!=rl)
string output;
if (_last_rule_label != rl)
{
acl.push_back(" remark "+rl);
_last_rule_label=rl;
acl.push_back(" remark " + rl);
output += printLastLine();
nlines++;
return printLastLine();
if (!comment.empty())
{
string::size_type n, c1;
c1 = 0;
while ( (n = comment.find("\n", c1)) != string::npos )
{
acl.push_back(" remark " + comment.substr(c1, n-c1));
output += printLastLine();
nlines++;
c1 = n + 1;
}
acl.push_back(" remark " + comment.substr(c1));
output += printLastLine();
nlines++;
}
_last_rule_label = rl;
return output;
}
return "";
}

4
src/cisco_lib/ACL.h
View File

@ -73,9 +73,9 @@ class ciscoACL {
/*
* Adds remark to access list. Checks and adds each remark only
* once. We use rule labels for remarks
* once. We use rule labels and comments for remarks
*/
std::string addRemark(const std::string &rl);
std::string addRemark(const std::string &rl, const std::string &comment);
void setName(const std::string &s) { _name=s; }
std::string name() { return _name; }

266
src/cisco_lib/CompilerDriver_iosacl.cpp Normal file
View File

@ -0,0 +1,266 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "../../build_num"
#include <fstream>
#include <iostream>
#include <algorithm>
#include <functional>
#include <stdexcept>
#include <assert.h>
#include <string>
#include <cstring>
#include <iomanip>
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "CompilerDriver_iosacl.h"
#include "PolicyCompiler_iosacl.h"
#include <QFileInfo>
#include <QDir>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
#ifdef _WIN32
string fs_separator = "\\";
#else
string fs_separator = "/";
#endif
CompilerDriver_iosacl::CompilerDriver_iosacl(FWObjectDatabase *db) :
CompilerDriver(db)
{
}
// create a copy of itself, including objdb
CompilerDriver* CompilerDriver_iosacl::clone()
{
return new CompilerDriver_iosacl(objdb);
}
void CompilerDriver_iosacl::printProlog(QTextStream &file, const string &prolog_code)
{
file << endl;
file << "#" << endl;
file << "# Prolog script" << endl;
file << "#" << endl;
file << prolog_code << endl;
file << "#" << endl;
file << "# End of prolog script" << endl;
file << "#" << endl;
}
string CompilerDriver_iosacl::safetyNetInstall(Firewall *fw)
{
ostringstream output;
if ( fw->getOptionsObject()->getBool("iosacl_acl_substitution") )
{
/* Generate short temporary ACL and assign it to all
* interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500)
as well as ssh from given subnet to any.
*/
string platform = fw->getStr("platform");
string version = fw->getStr("version");
string temp_acl = "tmp_acl";
string temp_acl_addr = fw->getOptionsObject()->getStr(
"iosacl_acl_temp_addr");
if (temp_acl_addr.empty())
{
cerr << "Missing address for management host or subnet for temporary ACL.\nPlease enter it in the tab 'Script options' in 'Firewall Settings' dialog"
<< endl;
exit(-1);
}
// if templ_acl_addr is ipv4 address, then we can not create this
// temporary ACL while compiling ipv6 policy. And vice versa.
bool create_temp_acl = false;
bool tmp_acl_ipv6 = false;
if (temp_acl_addr.find(":")!=string::npos)
{
//looks like ipv6
create_temp_acl = true;
tmp_acl_ipv6 = true;
} else
{
// not ipv6, assume ipv4
create_temp_acl = true;
tmp_acl_ipv6 = false;
}
if (create_temp_acl)
{
string::size_type slash_idx = temp_acl_addr.find('/');
string addr = temp_acl_addr;
string netmask = "255.255.255.255";
bool tmp_acl_v6 = false;
// check if addr is v6
try
{
InetAddr addrv6(AF_INET6, temp_acl_addr);
tmp_acl_v6 = true;
} catch(FWException &ex)
{
// Assume cnf->maddr is ipv4
if (slash_idx!=string::npos)
{
addr = temp_acl_addr.substr(0,slash_idx);
netmask = temp_acl_addr.substr(slash_idx+1);
try
{
if (netmask.find(".")!=string::npos)
{
InetAddr nm(netmask);
nm.getLength(); // to avoid warning abt unused var
} else
{
int nm_length;
istringstream str(netmask);
str >> nm_length;
InetAddr nm(nm_length);
netmask = nm.toString();
}
} catch(FWException &ex)
{
cerr << "Invalid netmask for management subnet: '"+netmask+"'"
<< endl;
exit(-1);
}
}
try
{
InetAddr a(addr);
a.isAny();
} catch(FWException &ex)
{
cerr << "Invalid address for management subnet: '"+addr+"'"
<< endl;
exit(-1);
}
}
string xml_element = "clear_ip_acl";
if (tmp_acl_ipv6) xml_element = "clear_ipv6_acl";
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/iosacl_commands/" + xml_element);
output << endl;
string addr_family_prefix = "ip";
string access_group_cmd =
PolicyCompiler_iosacl::getAccessGroupCommandForAddressFamily(tmp_acl_v6);
output << "! temporary access list for \"safety net install\""
<< endl;
output << endl;
if (tmp_acl_v6)
{
addr_family_prefix = "ipv6";
output << clearACLcmd << " " << temp_acl << endl;
output << "ipv6 access-list " << temp_acl << endl;
if (slash_idx!=string::npos)
output << " permit ipv6 " << addr << " any " << endl;
else
output << " permit ipv6 host " << addr << " any " << endl;
output << " permit icmp any any " << endl;
output << " deny ipv6 any any " << endl;
output << "exit" << endl;
output << endl;
} else
{
// cisco uses "wildcards" instead of netmasks
//long nm = InetAddr(netmask).to32BitInt();
//struct in_addr na;
//na.s_addr = ~nm;
InetAddr nnm( ~(InetAddr(netmask)) );
addr_family_prefix = "ip";
output << clearACLcmd << " " << temp_acl << endl;
output << "ip access-list extended " << temp_acl << endl;
output << " permit ip "
<< addr << " " << nnm.toString() << " any " << endl;
output << " deny ip any any " << endl;
output << "exit" << endl;
output << endl;
}
// find management interface
int nmi = 0;
list<FWObject*> ll = fw->getByType(Interface::TYPENAME);
for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++)
{
Interface *intf = Interface::cast( *i );
if (intf->isManagement())
{
nmi++;
output << "interface " << intf->getName() << endl;
output << " no " << addr_family_prefix << " ";
output << access_group_cmd;
output << " in" << endl;
output << " no " << addr_family_prefix << " ";
output << access_group_cmd;
output << " out" << endl;
output << " " << addr_family_prefix << " ";
output << access_group_cmd;
output << " " << temp_acl << " in" << endl;
output << "exit" << endl;
}
}
if (nmi==0)
{
cerr << "One of the interfaces of the firewall must be marked as management interface."
<< endl;
exit(-1);
}
output << endl;
}
}
return output.str();
}

70
src/cisco_lib/CompilerDriver_iosacl.h Normal file
View File

@ -0,0 +1,70 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __COMPILER_DRIVER_IOSACL_HH__
#define __COMPILER_DRIVER_IOSACL_HH__
#include "CompilerDriver.h"
#include <string>
#include <sstream>
#include <QTextStream>
namespace libfwbuilder {
class FWObjectDatabase;
class Cluster;
class ClusterGroup;
class Firewall;
class RuleSet;
class Interface;
};
namespace fwcompiler {
class CompilerDriver_iosacl : public CompilerDriver {
protected:
std::string safetyNetInstall(libfwbuilder::Firewall *fw);
void printProlog(QTextStream &file, const std::string &prolog_code);
public:
CompilerDriver_iosacl(libfwbuilder::FWObjectDatabase *db);
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
virtual std::string run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id);
};
};
#endif

405
src/cisco_lib/CompilerDriver_iosacl_run.cpp Normal file
View File

@ -0,0 +1,405 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "../../build_num"
#ifndef _WIN32
# include <unistd.h>
# include <pwd.h>
#else
# include <direct.h>
# include <stdlib.h>
# include <io.h>
#endif
#include <fstream>
#include <iostream>
#include <algorithm>
#include <functional>
#include <stdexcept>
#include <memory>
#include <assert.h>
#include <cstring>
#include <iomanip>
#include "CompilerDriver_iosacl.h"
#include "PolicyCompiler_iosacl.h"
#include "RoutingCompiler_iosacl.h"
#include "OSConfigurator_ios.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Routing.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include <QStringList>
#include <QFileInfo>
#include <QFile>
#include <QTextStream>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
string CompilerDriver_iosacl::run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
// Copy rules from the cluster object
populateClusterElements(cluster, fw);
commonChecks2(cluster, fw);
// Note that fwobjectname may be different from the name of the
// firewall fw This happens when we compile a member of a cluster
current_firewall_name = fw->getName().c_str();
QString ofname = determineOutputFileName(fw, !cluster_id.empty(), ".fw");
FWOptions* options = fw->getOptionsObject();
string fwvers = fw->getStr("version");
if (fwvers == "") fw->setStr("version", "12.x");
string platform = fw->getStr("platform");
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + fwvers + "/iosacl_commands/clear_ip_acl");
if (clearACLCmd.empty())
{
// incorrect version. This could have happened if user converted
// firewall platform. See bug #2662290
fw->setStr("version", "12.x");
}
bool ios_acl_basic = options->getBool("ios_acl_basic");
bool ios_acl_no_clear = options->getBool("ios_acl_no_clear");
bool ios_acl_substitution = options->getBool("ios_acl_substitution");
bool ios_add_clear_statements = options->getBool("ios_add_clear_statements");
if ( !ios_acl_basic &&
!ios_acl_no_clear &&
!ios_acl_substitution )
{
if ( ios_add_clear_statements ) options->setBool("ios_acl_basic",true);
else options->setBool("ios_acl_no_clear",true);
}
Helper helper(NULL);
char timestr[256];
time_t tm;
tm=time(NULL);
strcpy(timestr,ctime(&tm));
timestr[ strlen(timestr)-1 ]='\0';
#ifdef _WIN32
char* user_name=getenv("USERNAME");
#else
char* user_name=getenv("USER");
#endif
if (user_name==NULL)
throw FWException("Can't figure out your user name, aborting");
std::auto_ptr<OSConfigurator_ios> oscnf(new OSConfigurator_ios(objdb, fw, false));
oscnf->prolog();
oscnf->processFirewallOptions();
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
int policy_rules_count = 0;
vector<int> ipv4_6_runs;
string generated_script;
if (!single_rule_compile_on)
generated_script = safetyNetInstall(fw);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
// be generated. If "-6" is used, only ipv6 part will be generated.
// If neither is used, both parts will be done.
if (options->getStr("ipv4_6_order").empty() ||
options->getStr("ipv4_6_order") == "ipv4_first")
{
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
if (ipv6_run) ipv4_6_runs.push_back(AF_INET6);
}
if (options->getStr("ipv4_6_order") == "ipv6_first")
{
if (ipv6_run) ipv4_6_runs.push_back(AF_INET6);
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
}
for (vector<int>::iterator i=ipv4_6_runs.begin();
i!=ipv4_6_runs.end(); ++i)
{
int policy_af = *i;
bool ipv6_policy = (policy_af == AF_INET6);
// Count rules for each address family
int policy_count = 0;
for (list<FWObject*>::iterator p=all_policies.begin();
p!=all_policies.end(); ++p)
{
Policy *policy = Policy::cast(*p);
if (policy->matchingAddressFamily(policy_af)) policy_count++;
}
if (policy_count)
{
std::auto_ptr<Preprocessor> prep(new Preprocessor(objdb, fw, false));
prep->compile();
}
for (list<FWObject*>::iterator p=all_policies.begin();
p!=all_policies.end(); ++p )
{
Policy *policy = Policy::cast(*p);
if (!policy->matchingAddressFamily(policy_af)) continue;
PolicyCompiler_iosacl c(objdb, fw, ipv6_policy, oscnf.get());
c.setSourceRuleSet( policy );
c.setRuleSetName(policy->getName());
c.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) c.setTestMode();
if (inEmbeddedMode()) c.setEmbeddedMode();
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
c.setVerbose( verbose );
if ( c.prolog() > 0 )
{
c.compile();
c.epilog();
if (!single_rule_compile_on)
{
if (ipv6_policy)
{
generated_script += "\n\n";
generated_script += "! ================ IPv6\n";
generated_script += "\n\n";
} else
{
generated_script += "\n\n";
generated_script += "! ================ IPv4\n";
generated_script += "\n\n";
}
}
if (c.haveErrorsAndWarnings())
{
all_errors.push_back(c.getErrors("").c_str());
// generated_script +=
// "! Policy compiler errors and warnings:";
// generated_script += "\n";
// generated_script += c.getErrors("! ");
}
generated_script += c.getCompiledScript();
} else
info(" Nothing to compile in Policy");
}
if (!ipv6_policy)
{
list<FWObject*> all_routing = fw->getByType(Routing::TYPENAME);
RuleSet *routing = RuleSet::cast(all_routing.front());
// currently routing is supported only for ipv4
RoutingCompiler_iosacl r(objdb, fw, false, oscnf.get());
r.setSourceRuleSet(routing);
r.setRuleSetName(routing->getName());
r.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) r.setTestMode();
if (inEmbeddedMode()) r.setEmbeddedMode();
r.setDebugLevel( dl );
if (rule_debug_on) r.setDebugRule( drp );
r.setVerbose( verbose );
if ( r.prolog() > 0 )
{
r.compile();
r.epilog();
if (r.haveErrorsAndWarnings())
{
all_errors.push_back(r.getErrors("").c_str());
// generated_script +=
// "! Routing compiler errors and warnings:";
// generated_script += "\n";
// generated_script += r.getErrors("! ");
}
generated_script += r.getCompiledScript();
} else
info(" Nothing to compile in Routing");
}
}
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());
}
if (single_rule_compile_on)
{
return
all_errors.join("\n").toStdString() +
generated_script;
}
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script << "!\n\
! This is automatically generated file. DO NOT MODIFY !\n\
!\n\
! Firewall Builder fwb_iosacl v" << VERSION << "-" << RELEASE_NUM << " \n\
!\n\
! Generated " << timestr
<< " "
<< tzname[0]
<< " by "
<< user_name;
script << endl;
script << "!" << endl;
script << "!" << " Compiled for " << platform << " " << fwvers << endl;
script << "!" << endl;
script << "!" << MANIFEST_MARKER << "* " << ofname << endl;
script << "!" << endl;
script << prepend("! ", all_errors.join("\n")) << endl;
script << endl;
script << "!" << endl;
script << "! Prolog script:" << endl;
script << "!" << endl;
string pre_hook= fw->getOptionsObject()->getStr("iosacl_prolog_script");
script << pre_hook << endl;
script << "!" << endl;
script << "! End of prolog script:" << endl;
script << "!" << endl;
script << oscnf->getCompiledScript();
script << endl;
script << generated_script;
script << endl;
script << endl;
script << "!" << endl;
script << "! Epilog script:" << endl;
script << "!" << endl;
string post_hook= fw->getOptionsObject()->getStr("iosacl_epilog_script");
script << post_hook << endl;
script << endl;
script << "! End of epilog script:" << endl;
script << "!" << endl;
QFile fw_file(ofname);
if (fw_file.open(QIODevice::WriteOnly))
{
QTextStream fw_str(&fw_file);
fw_str << script_buffer;
fw_file.close();
fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner |
QFile::ReadGroup | QFile::ReadOther |
QFile::ExeOwner |
QFile::ExeGroup |
QFile::ExeOther );
info(" Compiled successfully");
} else
{
throw FWException(string(" Failed to open file ") +
fw_file_name.toStdString() +
" for writing");
}
return "";
}

90
src/cisco_lib/CompilerDriver_pix.cpp Normal file
View File

@ -0,0 +1,90 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "../../build_num"
#include <fstream>
#include <iostream>
#include <algorithm>
#include <functional>
#include <stdexcept>
#include <assert.h>
#include <string>
#include <cstring>
#include <iomanip>
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "CompilerDriver_pix.h"
#include "PolicyCompiler_pix.h"
#include "OSConfigurator_pix_os.h"
#include <QFileInfo>
#include <QDir>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
CompilerDriver_pix::CompilerDriver_pix(FWObjectDatabase *db) :
CompilerDriver(db)
{
}
// create a copy of itself, including objdb
CompilerDriver* CompilerDriver_pix::clone()
{
return new CompilerDriver_pix(objdb);
}
string CompilerDriver_pix::protocolInspectorCommands(Firewall *fw)
{
OSConfigurator_pix_os *oscnf =
new OSConfigurator_pix_os(objdb , fw, false);
oscnf->prolog();
string res = oscnf->getProtocolInspectionCommands();
delete oscnf;
return res;
}
void CompilerDriver_pix::printProlog(QTextStream &file, const string &prolog_code)
{
file << endl;
file << "#" << endl;
file << "# Prolog script" << endl;
file << "#" << endl;
file << prolog_code << endl;
file << "#" << endl;
file << "# End of prolog script" << endl;
file << "#" << endl;
}

71
src/cisco_lib/CompilerDriver_pix.h Normal file
View File

@ -0,0 +1,71 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __COMPILER_DRIVER_PIX_HH__
#define __COMPILER_DRIVER_PIX_HH__
#include "CompilerDriver.h"
#include <string>
#include <sstream>
#include <QTextStream>
namespace libfwbuilder {
class FWObjectDatabase;
class Cluster;
class ClusterGroup;
class Firewall;
class RuleSet;
class Interface;
};
namespace fwcompiler {
class CompilerDriver_pix : public CompilerDriver {
protected:
std::string safetyNetInstall(libfwbuilder::Firewall *fw);
void printProlog(QTextStream &file, const std::string &prolog_code);
public:
CompilerDriver_pix(libfwbuilder::FWObjectDatabase *db);
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
virtual std::string run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id);
std::string protocolInspectorCommands(libfwbuilder::Firewall *fw);
};
};
#endif

593
src/cisco_lib/CompilerDriver_pix_run.cpp Normal file
View File

@ -0,0 +1,593 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "../../build_num"
#ifndef _WIN32
# include <unistd.h>
# include <pwd.h>
#else
# include <direct.h>
# include <stdlib.h>
# include <io.h>
#endif
#include <fstream>
#include <iostream>
#include <algorithm>
#include <functional>
#include <stdexcept>
#include <memory>
#include <assert.h>
#include <cstring>
#include <iomanip>
#include "CompilerDriver_pix.h"
#include "PolicyCompiler_pix.h"
#include "NATCompiler_pix.h"
#include "RoutingCompiler_pix.h"
#include "OSConfigurator_pix_os.h"
#include "Helper.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Routing.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include <QStringList>
#include <QFileInfo>
#include <QFile>
#include <QTextStream>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
class sort_by_net_zone {
string any_address_id;
public:
explicit sort_by_net_zone()
{
any_address_id = FWObjectDatabase::getStringId(
FWObjectDatabase::ANY_ADDRESS_ID);
}
bool operator()(const FWObject *a, const FWObject *b)
{
if (Interface::constcast(a) && Interface::constcast(b))
{
string netzone_a=a->getStr("network_zone");
string netzone_b=b->getStr("network_zone");
if ( netzone_a==any_address_id) return false;
if ( netzone_b==any_address_id) return true;
}
return false;
}
};
string CompilerDriver_pix::run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
// Copy rules from the cluster object
populateClusterElements(cluster, fw);
commonChecks2(cluster, fw);
// Note that fwobjectname may be different from the name of the
// firewall fw This happens when we compile a member of a cluster
current_firewall_name = fw->getName().c_str();
QString ofname = determineOutputFileName(fw, !cluster_id.empty(), ".fw");
FWOptions* options = fw->getOptionsObject();
bool pix_acl_basic=options->getBool("pix_acl_basic");
bool pix_acl_no_clear=options->getBool("pix_acl_no_clear");
bool pix_acl_substitution=options->getBool("pix_acl_substitution");
bool pix_add_clear_statements=options->getBool("pix_add_clear_statements");
if ( !pix_acl_basic &&
!pix_acl_no_clear &&
!pix_acl_substitution )
{
if ( pix_add_clear_statements ) options->setBool("pix_acl_basic",true);
else options->setBool("pix_acl_no_clear",true);
}
Helper helper(NULL);
multimap<string, FWObject*> netzone_objects;
std::list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
for (std::list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface=dynamic_cast<Interface*>(*i);
assert(iface);
/*
* missing labels on interfaces
*/
if (iface->getLabel()=="")
{
string lbl;
if (iface->getSecurityLevel()==0) lbl="outside";
else
{
if (iface->getSecurityLevel()==100) lbl="inside";
else
{
char s[64];
sprintf(s,"dmz%d",iface->getSecurityLevel());
lbl=s;
}
}
iface->setLabel(lbl);
}
/*
* there shouldn't be two interfaces with the same security level
*/
for (std::list<FWObject*>::iterator j=l2.begin(); j!=l2.end(); ++j)
{
Interface *iface2=dynamic_cast<Interface*>(*j);
assert(iface2);
if (iface->getId()==iface2->getId()) continue;
if (iface->getSecurityLevel()==iface2->getSecurityLevel())
{
QString err(
"Security level of each interface should be unique, "
"however interfaces %1 (%2) and %3 (%4)"
" have the same security level."
);
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str())
.arg(iface2->getName().c_str())
.arg(iface2->getLabel().c_str()).toStdString());
}
}
/*
* in PIX, we need network zones to be defined for all interfaces
*/
string netzone_id=iface->getStr("network_zone");
if (netzone_id=="")
{
QString err("Network zone definition is missing for interface %1 (%2)");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str()).toStdString());
}
FWObject *netzone=objdb->findInIndex(
FWObjectDatabase::getIntId(netzone_id));
if (netzone==NULL)
{
QString err("Network zone points at nonexisting object for interface %1 (%2)");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str()).toStdString());
}
/*
* netzone may be a group, in which case we need to expand it
* (recursively).
*
* 1. We create new temporary object (type Group).
*
* 2. put it in the database somewhere
*
* 3. add all objects that belong to the network zone to this
* group. We add objects directly, not as a reference.
*
* 4. finally replace reference to the old network zone object in the
* interface with reference to this new group.
*
* 5. we store ID of the original network zone object
* using iface->setStr("orig_netzone_id")
*
* This ensures netzones do not contain other groups and do not
* require any recursive expanding anymore. Since objects were added
* to netzones directly, we do not need to bother with dereferencing,
* too.
*/
list<FWObject*> ol;
helper.expand_group_recursive_no_cache(netzone,ol);
FWObject *nz = objdb->createObjectGroup();
assert(nz!=NULL);
nz->setName("netzone_"+iface->getLabel());
objdb->add(nz);
for (list<FWObject*>::iterator j=ol.begin(); j!=ol.end(); ++j)
{
netzone_objects.insert( pair<string,FWObject*>(iface->getLabel(),*j));
nz->add(*j);
}
iface->setStr("orig_netzone_id", netzone_id );
iface->setStr("network_zone",
FWObjectDatabase::getStringId(nz->getId()) );
}
/*
* the same object (network or host) can not belong to network zones
* of two different interfaces. Map netzone_objects holds pairs
* interface_id/object. We just make sure the same object does not
* appear in two pairs with different interfaces.
*/
multimap<string,FWObject*>::iterator k;
for (k=netzone_objects.begin(); k!=netzone_objects.end(); ++k)
{
multimap<string,FWObject*>::iterator l;
l=k;
++l;
for ( ; l!=netzone_objects.end(); ++l)
{
if ( l->second->getId() == k->second->getId() )
{
if (k->first==l->first)
{
QString err("Object %1 is used more than once in network zone of interface %2");
abort(fw, NULL, NULL,
err.arg(l->second->getName().c_str())
.arg(k->first.c_str()).toStdString());
} else
{
QString err("Object %1 is used in network zones of "
"interfaces %2 and %3");
abort(fw, NULL, NULL,
err.arg(l->second->getName().c_str())
.arg(k->first.c_str())
.arg(l->first.c_str()).toStdString());
}
}
}
}
/*
* now sort interfaces by their network zone "width" (that is, more narrow
* network zone should go first, interface with network zone "any" should be
* the last)
*
std::sort(fw->begin(), fw->end(), sort_by_net_zone() );
*/
char timestr[256];
time_t tm;
tm=time(NULL);
strcpy(timestr,ctime(&tm));
timestr[ strlen(timestr)-1 ]='\0';
#ifdef _WIN32
char* user_name=getenv("USERNAME");
#else
char* user_name=getenv("USER");
#endif
if (user_name==NULL)
abort("Can't figure out your user name");
std::auto_ptr<Preprocessor> prep(new Preprocessor(objdb , fw, false));
prep->compile();
/*
* Process firewall options, build OS network configuration script
*/
std::auto_ptr<OSConfigurator> oscnf(new OSConfigurator_pix_os(objdb , fw, false));
oscnf->prolog();
oscnf->processFirewallOptions();
/* create compilers and run the whole thing */
std::auto_ptr<NATCompiler_pix> n(new NATCompiler_pix(objdb, fw, false, oscnf.get()));
RuleSet *nat = RuleSet::cast(fw->getFirstByType(NAT::TYPENAME));
if (nat)
{
n->setSourceRuleSet(nat);
n->setRuleSetName(nat->getName());
if (inTestMode()) n->setTestMode();
if (inEmbeddedMode()) n->setEmbeddedMode();
n->setSingleRuleCompileMode(single_rule_id);
n->setDebugLevel( dl );
if (rule_debug_on) n->setDebugRule( drn );
n->setVerbose( verbose );
if ( n->prolog() > 0 )
{
n->compile();
n->epilog();
} else
info(" Nothing to compile in NAT");
}
std::auto_ptr<PolicyCompiler_pix> c(
new PolicyCompiler_pix(objdb, fw, false, oscnf.get() , n.get()));
RuleSet *policy = RuleSet::cast(fw->getFirstByType(Policy::TYPENAME));
if (policy)
{
c->setSourceRuleSet(policy);
c->setRuleSetName(policy->getName());
if (inTestMode()) c->setTestMode();
if (inEmbeddedMode()) c->setEmbeddedMode();
c->setSingleRuleCompileMode(single_rule_id);
c->setDebugLevel( dl );
if (rule_debug_on) c->setDebugRule( drp );
c->setVerbose( verbose );
if ( c->prolog() > 0 )
{
c->compile();
c->epilog();
} else
info(" Nothing to compile in Policy");
}
std::auto_ptr<RoutingCompiler_pix> r(new RoutingCompiler_pix(objdb, fw, false, oscnf.get()));
RuleSet *routing = RuleSet::cast(fw->getFirstByType(Routing::TYPENAME));
if (routing)
{
r->setSourceRuleSet(routing);
r->setRuleSetName(routing->getName());
if (inTestMode()) r->setTestMode();
if (inEmbeddedMode()) r->setEmbeddedMode();
r->setSingleRuleCompileMode(single_rule_id);
r->setDebugLevel( dl );
if (rule_debug_on) r->setDebugRule( drp );
r->setVerbose( verbose );
if ( r->prolog() > 0 )
{
r->compile();
r->epilog();
} else
info(" Nothing to compile in Routing");
}
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());
}
if (single_rule_compile_on)
{
ostringstream ostr;
if (c->haveErrorsAndWarnings())
{
all_errors.push_back(c->getErrors("").c_str());
// ostr << "! Policy compiler errors and warnings:"
// << endl;
// ostr << c->getErrors("! ");
}
ostr << c->getCompiledScript();
if (n->haveErrorsAndWarnings())
{
all_errors.push_back(n->getErrors("").c_str());
// ostr << "! NAT compiler errors and warnings:"
// << endl;
// ostr << n->getErrors("! ");
}
ostr << n->getCompiledScript();
if (r->haveErrorsAndWarnings())
{
all_errors.push_back(r->getErrors("").c_str());
// ostr << "! Routing compiler errors and warnings:"
// << endl;
// ostr << r->getErrors("! ");
}
ostr << r->getCompiledScript();
return
all_errors.join("\n").toStdString() +
ostr.str();
}
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script << "!\n\
! This is automatically generated file. DO NOT MODIFY !\n\
!\n\
! Firewall Builder fwb_pix v" << VERSION << "-" << BUILD_NUM << " \n\
!\n\
! Generated " << timestr
<< " "
<< tzname[0]
<< " by "
<< user_name;
script << endl;
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
bool outbound_acl_supported = Resources::platform_res[platform]->getResourceBool(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+
"/pix_outbound_acl_supported");
bool afpa = options->getBool("pix_assume_fw_part_of_any");
bool emulate_outb_acls = options->getBool("pix_emulate_out_acl");
bool generate_outb_acls = options->getBool("pix_generate_out_acl");
script << "!" << endl;
script << "!"
<< " Compiled for "
<< platform
<< " " << vers << endl;
script << "!"
<< " Outbound ACLs "
<< string((outbound_acl_supported)?"supported":"not supported")
<< endl;
if (!outbound_acl_supported)
{
script << "!"
<< " Emulate outbound ACLs: "
<< string((emulate_outb_acls)?"yes":"no")
<< endl;
}
script << "!"
<< " Generating outbound ACLs: "
<< string((generate_outb_acls)?"yes":"no")
<< endl;
script << "!"
<< " Assume firewall is part of 'any': "
<< string((afpa)?"yes":"no")
<< endl;
script << "!" << endl;
script << "!" << MANIFEST_MARKER << "* " << ofname << endl;
script << "!" << endl;
if (c->haveErrorsAndWarnings())
all_errors.push_back(c->getErrors("C ").c_str());
if (n->haveErrorsAndWarnings())
all_errors.push_back(n->getErrors("N ").c_str());
if (r->haveErrorsAndWarnings())
all_errors.push_back(r->getErrors("R ").c_str());
script << prepend("! ", all_errors.join("\n")).toStdString() << endl;
script << endl;
script << "!" << endl;
script << "! Prolog script:" << endl;
script << "!" << endl;
string pre_hook= fw->getOptionsObject()->getStr("pix_prolog_script");
script << pre_hook << endl;
script << "!" << endl;
script << "! End of prolog script:" << endl;
script << "!" << endl;
script << oscnf->getCompiledScript();
script << endl;
// if (c->haveErrorsAndWarnings())
// {
// script << "! Policy compiler errors and warnings:"
// << endl;
// script << c->getErrors("! ");
// }
script << c->getCompiledScript();
script << endl;
// if (n->haveErrorsAndWarnings())
// {
// script << "! NAT compiler errors and warnings:"
// << endl;
// script << n->getErrors("! ");
// }
script << n->getCompiledScript();
script << endl;
// if (r->haveErrorsAndWarnings())
// {
// script << "! Routing compiler errors and warnings:"
// << endl;
// script << r->getErrors("! ");
// }
script << r->getCompiledScript();
script << "!" << endl;
script << "! Epilog script:" << endl;
script << "!" << endl;
string post_hook = fw->getOptionsObject()->getStr("pix_epilog_script");
script << post_hook << endl;
script << endl;
script << "! End of epilog script:" << endl;
script << "!" << endl;
QFile fw_file(ofname);
if (fw_file.open(QIODevice::WriteOnly))
{
QTextStream fw_str(&fw_file);
fw_str << script_buffer;
fw_file.close();
fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner |
QFile::ReadGroup | QFile::ReadOther |
QFile::ExeOwner |
QFile::ExeGroup |
QFile::ExeOther );
info(" Compiled successfully");
} else
{
throw FWException(string(" Failed to open file ") +
fw_file_name.toStdString() +
" for writing");
}
return "";
}

7
src/cisco_lib/Helper.cpp
View File

@ -233,10 +233,10 @@ list<int> Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
{
Rule *rule = Rule::cast(re->getParent());
compiler->abort(
re->getParent(),
string("findInterfaceByNetzoneOrAll failed to retrieve first "
"object from the rule element; is argument not of "
"the type RuleElementSrc or RuleElementDst ? Rule ") +
rule->getLabel());
"the type RuleElementSrc or RuleElementDst ?"));
}
try
{
@ -253,7 +253,8 @@ list<int> Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
Resources::getTargetCapabilityBool(
compiler->fw->getStr("platform"), "network_zones");
if (supports_network_zones) compiler->warning(err);
if (supports_network_zones)
compiler->warning(err);
FWObjectTypedChildIterator i = compiler->fw->findByType(
Interface::TYPENAME);

304
src/pix/NATCompiler_pix.cpp → src/cisco_lib/NATCompiler_pix.cpp
View File

@ -54,10 +54,10 @@ using namespace std;
string NATCompiler_pix::myPlatformName() { return "pix"; }
NATCompiler_pix::NATCompiler_pix(FWObjectDatabase *_db,
const std::string &fwname,
Firewall *fw,
bool ipv6_policy,
OSConfigurator *_oscnf) :
NATCompiler(_db, fwname, ipv6_policy, _oscnf) , helper(this)
NATCompiler(_db, fw, ipv6_policy, _oscnf) , helper(this)
{
}
@ -105,8 +105,8 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
{
NATRule *rule=NATRule::cast(r);
Interface *iface1 = getCachedFwInterface( rule->getInt("nat_iface_orig") );
Interface *iface2 = getCachedFwInterface( rule->getInt("nat_iface_trn") );
FWObject *iface1 = dbcopy->findInIndex( rule->getInt("nat_iface_orig") );
FWObject *iface2 = dbcopy->findInIndex( rule->getInt("nat_iface_trn") );
string iface1_name=(iface1!=NULL)?iface1->getName():"";
string iface2_name=(iface2!=NULL)?iface2->getName():"";
@ -257,10 +257,15 @@ bool NATCompiler_pix::VerifyRules::processNext()
RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv);
if (rule->getRuleType()==NATRule::LB)
compiler->abort("Load balancing rules are not supported. Rule "+rule->getLabel());
compiler->abort(
rule,
"Load balancing rules are not supported.");
if (rule->getRuleType()==NATRule::NONAT && (!osrv->isAny() || !tsrv->isAny()))
compiler->abort("'no nat' rules should have no services");
compiler->abort(
rule,
"'no nat' rules should have no services");
if (osrc->getNeg() ||
@ -269,7 +274,10 @@ bool NATCompiler_pix::VerifyRules::processNext()
tsrc->getNeg() ||
tdst->getNeg() ||
tsrv->getNeg())
compiler->abort("Negation is not supported in NAT rules. Rule "+rule->getLabel());
compiler->abort(
rule,
"Negation is not supported in NAT rules.");
if (rule->getRuleType()==NATRule::SNAT)
{
@ -278,7 +286,11 @@ bool NATCompiler_pix::VerifyRules::processNext()
if ( ! odst->isAny() && version_lt_63) // can do on fwsm
{
compiler->warning("Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. Rule "+rule->getLabel());
compiler->warning(
rule,
"Original destination is ignored in 'nat' NAT rules "
"when compiling for PIX v6.2 and earlier.");
odst->clearChildren();
odst->setAnyElement();
}
@ -287,20 +299,36 @@ bool NATCompiler_pix::VerifyRules::processNext()
if (rule->getRuleType()==NATRule::DNAT)
{
if ( odst->size()!=1 && version_lt_63)
compiler->abort("There should be no more than one object in original destination in the rule "+rule->getLabel());
compiler->abort(
rule,
"There should be no more than one object in original destination");
if ( ! osrc->isAny() && version_lt_63)
compiler->warning("Original source is ignored in 'static' NAT rules when compiling for PIX v6.2 and earlier. Rule "+rule->getLabel());
compiler->warning(
rule,
"Original source is ignored in 'static' NAT rules "
"when compiling for PIX v6.2 and earlier.");
}
if (osrv->size()!=1 && !tsrv->isAny())
compiler->abort("Can not translate multiple services into one service in one rule. Rule: "+rule->getLabel());
compiler->abort(
rule,
"Can not translate multiple services into one service in one rule. ");
if (tsrv->size()!=1)
compiler->abort("Translated service should be 'Original' or should contain single object. Rule: "+rule->getLabel());
compiler->abort(
rule,
"Translated service should be 'Original' or should contain single object.");
if ( Group::cast( compiler->getFirstTSrv(rule) )!=NULL)
compiler->abort("Can not use group in translated service. Rule "+rule->getLabel());
compiler->abort(
rule,
"Can not use group in translated service.");
if (rule->getRuleType()==NATRule::SNetnat && !tsrc->isAny() )
{
@ -308,7 +336,10 @@ bool NATCompiler_pix::VerifyRules::processNext()
Network *a2=Network::cast(compiler->getFirstTSrc(rule));
if ( a1==NULL || a2==NULL ||
a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() )
compiler->abort("Original and translated source should both be networks of the same size . Rule "+rule->getLabel());
compiler->abort(
rule,
"Original and translated source should both be networks of the same size");
}
if (rule->getRuleType()==NATRule::DNetnat && !tsrc->isAny() )
@ -317,7 +348,10 @@ bool NATCompiler_pix::VerifyRules::processNext()
Network *a2=Network::cast(compiler->getFirstTDst(rule));
if ( a1==NULL || a2==NULL ||
a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() )
compiler->abort("Original and translated destination should both be networks of the same size . Rule "+rule->getLabel());
compiler->abort(
rule,
"Original and translated destination should both be networks of the same size.");
}
if (rule->getRuleType()==NATRule::SNetnat) rule->setRuleType(NATRule::SNAT);
@ -355,17 +389,18 @@ bool NATCompiler_pix::AssignInterface::processNext()
rule->setInt("nat_iface_trn", helper.findInterfaceByNetzone(a2));
if ( rule->getInt("nat_iface_orig")==-1 )
compiler->abort("Object '" + a1->getName() +
"' does not belong to any known network zone. Rule: " +
rule->getLabel());
compiler->abort(
rule,
"Object '" + a1->getName() +
"' does not belong to any known network zone.");
if ( rule->getInt("nat_iface_trn")==-1 )
compiler->abort("Object '" + a2->getName() +
"' does not belong to any known network zone. Rule: " +
rule->getLabel());
// if ( rule->getInt("nat_iface_orig")==rule->getInt("nat_iface_trn"))
// compiler->abort("Objects '"+a1->getName()+"' and '"+a2->getName()+"' belong to the same network zone. Can not build NAT configuration. Rule: "+rule->getLabel());
compiler->abort(
rule,
"Object '" + a2->getName() +
"' does not belong to any known network zone.");
return true;
}
@ -394,11 +429,12 @@ bool NATCompiler_pix::verifyInterfaces::processNext()
sprintf(lvl1,"%d",iface1->getSecurityLevel());
sprintf(lvl2,"%d",iface2->getSecurityLevel());
compiler->abort(
"Security level of internal interface "+
iface1->getName() + " (level "+ lvl1 +") "+
" set lower than that of external interface "+
iface2->getName() + " (level "+ lvl2 +") "+
" for NAT rule "+rule->getLabel());
rule,
"Security level of internal interface "+
iface1->getName() + " (level "+ lvl1 +") "+
" set lower than that of external interface "+
iface2->getName() + " (level "+ lvl2 +") ");
}
}
}
@ -425,16 +461,20 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
if (rule->getRuleType()==NATRule::SNAT)
{
if ((! osrv->isAny() || ! tsrv->isAny()) && version_lt_63)
compiler->abort("only PIX v6.3 recognizes services in global NAT. "
"Rule: "+rule->getLabel() );
compiler->abort(
rule,
"only PIX v6.3 and later recognizes services in global NAT.");
}
if (rule->getRuleType()==NATRule::DNAT)
{
if (AddressRange::cast(odst) || AddressRange::cast(tdst))
compiler->abort(
"Address ranges are not supported in original destination or "
"translated destination in NAT rule "+rule->getLabel() );
rule,
"Address ranges are not supported in original destination or "
"translated destination ");
if (Network::isA(odst) && Network::isA(tdst))
{
@ -445,18 +485,25 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
if ( !(n1==n2) )
compiler->abort(
"Original and translated destination must be of the same "
"size in the NAT rule "+rule->getLabel());
rule,
"Original and translated destination must be of the same "
"size");
}
if (osrv->getTypeName()!=tsrv->getTypeName())
compiler->abort("Original and translated services must be of "
"the same type. Rule: "+rule->getLabel());
compiler->abort(
rule,
"Original and translated services must be of "
"the same type.");
if (ICMPService::isA(osrv))
compiler->abort("ICMP services are not supported in static NAT. "
"Rule: "+rule->getLabel());
compiler->abort(
rule,
"ICMP services are not supported in static NAT. ");
if (TCPService::isA(osrv) || UDPService::isA(osrv))
{
@ -464,8 +511,11 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
int dre=TCPUDPService::cast(osrv)->getDstRangeEnd();
if (drs!=dre)
compiler->abort("TCP or UDP service with a port range is not "
"supported in NAT. Rule "+rule->getLabel());
compiler->abort(
rule,
"TCP or UDP service with a port range is not "
"supported in NAT.");
}
if (TCPService::isA(tsrv) || UDPService::isA(tsrv))
{
@ -473,8 +523,11 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
int dre=TCPUDPService::cast(tsrv)->getDstRangeEnd();
if (drs!=dre)
compiler->abort("TCP or UDP service with a port range is not "
"supported in NAT. Rule "+rule->getLabel());
compiler->abort(
rule,
"TCP or UDP service with a port range is not "
"supported in NAT.");
}
}
@ -562,11 +615,12 @@ bool NATCompiler_pix::ReplaceFirewallObjectsODst::processNext()
{
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i) {
Interface *interface_=Interface::cast(*i);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface = Interface::cast(*i);
if (! interface_->isLoopback() &&
interface_->isExt() ) cl.push_back(interface_);
if (! iface->isLoopback() && iface->getSecurityLevel()==0 )
cl.push_back(iface);
}
if ( ! cl.empty() ) {
while (rel->size())
@ -608,8 +662,9 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext()
if ( ! rule->getOSrc()->isAny())
{
osrc=compiler->getFirstOSrc(rule); assert(osrc!=NULL);
osrc_iface=compiler->getCachedFwInterface( helper.findInterfaceByNetzone(osrc ) );
osrc_level=osrc_iface->getSecurityLevel();
osrc_iface = Interface::cast(
compiler->dbcopy->findInIndex( helper.findInterfaceByNetzone(osrc)));
osrc_level = osrc_iface->getSecurityLevel();
}
rel=rule->getTSrc(); assert(rel);
@ -627,15 +682,14 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext()
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *interface_=Interface::cast(*i);
if (interface_->getSecurityLevel()<osrc_level )
cl.push_back(interface_);
Interface *iface = Interface::cast(*i);
if (iface->getSecurityLevel()<osrc_level )
cl.push_back(iface);
}
} else
{
Address *odst=compiler->getFirstODst(rule); assert(odst!=NULL);
Interface *odst_iface=compiler->getCachedFwInterface( helper.findInterfaceByNetzone(odst ) );
Address *odst=compiler->getFirstODst(rule); assert(odst!=NULL);
FWObject *odst_iface=compiler->dbcopy->findInIndex( helper.findInterfaceByNetzone(odst ) );
if (odst_iface!=NULL) cl.push_back(odst_iface);
}
if ( ! cl.empty() ) {
@ -661,13 +715,15 @@ void NATCompiler_pix::UseFirewallInterfaces::scanInterfaces(RuleElement *rel)
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
Address *obj=Address::cast(o);
if(obj==NULL)
compiler->abort("Broken rule element "+
rel->getTypeName()+
" in rule "+
NATRule::cast(rel->getParent())->getLabel()+
" ( found object with type "+
string((o!=NULL)?o->getTypeName():"<NULL>") +
")");
compiler->abort(
rel->getParent(),
"Broken rule element "+
rel->getTypeName()+
" in rule "+
NATRule::cast(rel->getParent())->getLabel()+
" ( found object with type "+
string((o!=NULL)?o->getTypeName():"<NULL>") +
")");
const InetAddr *obj_addr = obj->getAddressPtr();
if (obj_addr==NULL) return;
@ -714,11 +770,13 @@ bool NATCompiler_pix::processNONATRules::processNext()
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
Interface *osrc_iface=compiler->getCachedFwInterface( helper.findInterfaceByNetzone(osrc ) );
Interface *odst_iface=compiler->getCachedFwInterface( helper.findInterfaceByNetzone(odst ) );
Interface *osrc_iface = Interface::cast(
compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(osrc)));
Interface *odst_iface = Interface::cast(
compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(odst)));
int osrc_level=osrc_iface->getSecurityLevel();
int odst_level=odst_iface->getSecurityLevel();
int osrc_level = osrc_iface->getSecurityLevel();
int odst_level = odst_iface->getSecurityLevel();
/*
* PIX has two types of NONAT rules, one is when connection goes from
@ -774,11 +832,11 @@ bool NATCompiler_pix::createNATCmd::processNext()
natcmd->o_src = osrc;
natcmd->o_dst = odst;
natcmd->o_srv = osrv;
natcmd->o_iface = compiler->getCachedFwInterface(
rule->getInt("nat_iface_orig") );
natcmd->o_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInt("nat_iface_orig")));
natcmd->t_addr = tsrc;
natcmd->t_iface = compiler->getCachedFwInterface(
rule->getInt("nat_iface_trn" ) );
natcmd->t_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInt("nat_iface_trn")));
natcmd->nat_acl_name = pix_comp->getNATACLname(rule,"");
pix_comp->registerACL(natcmd->nat_acl_name);
@ -807,7 +865,11 @@ bool NATCompiler_pix::createNATCmd::processNext()
if (natcmd->outside && compiler->fw->getStr("platform")=="pix" &&
libfwbuilder::XMLTools::version_compare(compiler->fw->getStr("version"),"6.2")<0 )
compiler->abort("Bi-Directional NAT of source addresses is only supported in PIX 6.2 and newer. Rule "+rule->getLabel());
compiler->abort(
rule,
"Bi-Directional NAT of source addresses is only "
"supported in PIX 6.2 and newer.");
/*
* map is sorted container, this means that objects are going to be arranged
@ -1125,7 +1187,10 @@ bool NATCompiler_pix::processMultiAddressObjectsInRE::processNext()
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
MultiAddress *atrt = MultiAddress::cast(o);
if (atrt!=NULL && atrt->isRunTime())
compiler->abort("Run-time AddressTable and DNSName objects are not supported. Rule " + rule->getLabel());
compiler->abort(
rule,
"Run-time AddressTable and DNSName objects are not supported.");
}
tmp_queue.push_back(rule);
@ -1213,20 +1278,24 @@ bool NATCompiler_pix::DetectGlobalPoolProblems::processNext()
{
if (checkOverlapping(*(natcmd->t_addr),
*(natcmd->t_iface->getAddressPtr())))
compiler->abort("Global pool "
+printGlobalPoolAddress(*(natcmd->t_addr))
+" overlaps with interface address. Rule "
+rule->getLabel());
compiler->abort(
rule,
"Global pool "
+printGlobalPoolAddress(*(natcmd->t_addr))
+" overlaps with interface address.");
if (checkOverlapping(*(natcmd->t_addr),
*(natcmd->t_iface->getBroadcastAddressPtr()))
||
checkOverlapping(*(natcmd->t_addr),
*(natcmd->t_iface->getAddressPtr())) )
compiler->warning("Global pool "
+printGlobalPoolAddress(*(natcmd->t_addr))
+" overlaps with broadcast address. Rule "
+rule->getLabel());
compiler->warning(
rule,
"Global pool "
+printGlobalPoolAddress(*(natcmd->t_addr))
+" overlaps with broadcast address.");
}
for (map<int,NATCmd*>::iterator i1=pix_comp->nat_commands.begin();
@ -1246,12 +1315,14 @@ bool NATCompiler_pix::DetectGlobalPoolProblems::processNext()
{
if ( ! fwcompiler::_find_obj_intersection(natcmd->t_addr,nc->t_addr).empty() )
{
compiler->abort(string("Global pool overlapping: \n")
+" "+rule->getLabel()+" : "
+printGlobalPoolAddress(*(natcmd->t_addr))
+"\n"
+" "+nc->rule_label+" : "
+printGlobalPoolAddress(*(nc->t_addr)) );
compiler->abort(
rule,
string("Global pool overlap: ")
+ rule->getLabel() + " : "
+ printGlobalPoolAddress(*(natcmd->t_addr))
+ nc->rule_label + " : "
+ printGlobalPoolAddress(*(nc->t_addr)) );
}
}
@ -1310,12 +1381,15 @@ bool NATCompiler_pix::DetectOverlappingGlobalPoolsAndStaticRules::processNext()
if ( checkOverlapping( addr, *(outa->getAddressPtr())) ||
checkOverlapping( *outa, *(addr.getAddressPtr())) )
compiler->abort("Global pool "
+printGlobalPoolAddress(addr)
+" from rule "
+natcmd->rule_label
+" overlaps with static translation address in rule "
+rule->getLabel());
compiler->abort(
rule,
"Global pool "
+printGlobalPoolAddress(addr)
+" from rule "
+natcmd->rule_label
+" overlaps with static translation address in rule "
+rule->getLabel());
}
}
return true;
@ -1378,7 +1452,7 @@ bool NATCompiler_pix::DetectDuplicateNAT::processNext()
<< "/"
<< TCPUDPService::cast(natcmd->o_srv)->getDstRangeEnd();
compiler->abort(str.str());
compiler->abort(rule, str.str());
}
}
}
@ -1410,13 +1484,15 @@ bool NATCompiler_pix::DetectOverlappingStatics::processNext()
*(sc->osrc) == *(scmd->osrc) &&
sc->oaddr->getId() == scmd->oaddr->getId())
compiler->abort(
"Static NAT rules overlap or are redundant : rules "+
sc->rule+" and "+scmd->rule+" : "+
"outside address: "+
"interface "+Interface::cast(scmd->oaddr)->getLabel()+
" inside address: "+
scmd->iaddr->getAddressPtr()->toString()+"/"+
scmd->iaddr->getNetmaskPtr()->toString());
rule,
"Static NAT rules overlap or are redundant : rules "+
sc->rule+" and "+scmd->rule+" : "+
"outside address: "+
"interface "+Interface::cast(scmd->oaddr)->getLabel()+
" inside address: "+
scmd->iaddr->getAddressPtr()->toString()+"/"+
scmd->iaddr->getNetmaskPtr()->toString());
} else
{
if ( *(sc->osrv) == *(scmd->osrv) &&
@ -1436,14 +1512,16 @@ bool NATCompiler_pix::DetectOverlappingStatics::processNext()
if ( ! getOverlap(*(ia1), *(ia2)).empty() ||
! getOverlap(*(oa1), *(oa2)).empty() )
compiler->abort(
"Static NAT rules overlap or are redundant: rules "+
sc->rule+" and "+scmd->rule+" : "+
"outside address: "+
scmd->oaddr->getAddressPtr()->toString()+"/"+
scmd->oaddr->getNetmaskPtr()->toString()+
" inside address: "+
scmd->iaddr->getAddressPtr()->toString()+"/"+
scmd->iaddr->getNetmaskPtr()->toString());
rule,
"Static NAT rules overlap or are redundant: rules "+
sc->rule+" and "+scmd->rule+" : "+
"outside address: "+
scmd->oaddr->getAddressPtr()->toString()+"/"+
scmd->oaddr->getNetmaskPtr()->toString()+
" inside address: "+
scmd->iaddr->getAddressPtr()->toString()+"/"+
scmd->iaddr->getNetmaskPtr()->toString());
}
}
}
@ -1455,16 +1533,17 @@ bool NATCompiler_pix::DetectOverlappingStatics::processNext()
void NATCompiler_pix::compile()
{
cout << " Compiling NAT rules for " << fw->getName() << " ..." << endl << flush;
info(" Compiling NAT rules for " + fw->getName());
try {
Compiler::compile();
add( new Begin( "Begin processing"));
add( new printTotalNumberOfRules());
add( new singleRuleFilter());
if (fw->getOptionsObject()->getBool( "pix_optimize_default_nat"))
add (new optimizeDefaultNAT(
"optimize commands 'nat (interface) 0.0.0.0 0.0.0.0'"));
@ -1568,7 +1647,8 @@ void NATCompiler_pix::compile()
runRuleProcessors();
} catch (FWException &ex) {
} catch (FWException &ex)
{
error(ex.toString());
exit(1);
}
@ -1629,7 +1709,7 @@ void NATCompiler_pix::epilog()
{
if ( fw->getOptionsObject()->getBool("pix_regroup_commands"))
{
cout << " Regrouping commands \n" << flush;
info(" Regrouping commands");
regroup();
}
}

2
src/pix/NATCompiler_pix.h → src/cisco_lib/NATCompiler_pix.h
View File

@ -460,7 +460,7 @@ namespace fwcompiler {
public:
NATCompiler_pix(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname,
libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf);

23
src/pix/NATCompiler_pix_writers.cpp → src/cisco_lib/NATCompiler_pix_writers.cpp
View File

@ -59,7 +59,8 @@ bool NATCompiler_pix::PrintClearCommands::processNext()
compiler->output << endl;
if ( !compiler->fw->getOptionsObject()->getBool("pix_acl_no_clear") )
if ( !compiler->fw->getOptionsObject()->getBool("pix_acl_no_clear") &&
!compiler->inSingleRuleCompileMode())
{
compiler->output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
@ -172,10 +173,10 @@ void NATCompiler_pix::PrintRule::_printNONAT(NATRule *rule)
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
Interface *osrc_iface = compiler->getCachedFwInterface(
helper.findInterfaceByNetzone(osrc ) );
Interface *odst_iface = compiler->getCachedFwInterface(
helper.findInterfaceByNetzone(odst ) );
Interface *osrc_iface = Interface::cast(
compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(osrc)));
Interface *odst_iface = Interface::cast(
compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(odst)));
string addr=odst->getAddressPtr()->toString();
string mask;
@ -299,7 +300,8 @@ bool NATCompiler_pix::PrintRule::processNext()
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if ( compiler->fw->getOptionsObject()->getBool("pix_include_comments") )
if ( compiler->fw->getOptionsObject()->getBool("pix_include_comments") &&
!compiler->inSingleRuleCompileMode())
{
string rl=rule->getLabel();
if (rl!=current_rule_label)
@ -321,6 +323,8 @@ bool NATCompiler_pix::PrintRule::processNext()
}
}
string err = rule->getStr(".error_msg");
if (!err.empty()) compiler->output << "! " << err << endl;
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
@ -330,9 +334,10 @@ bool NATCompiler_pix::PrintRule::processNext()
Address *tdst=compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv);
Interface *iface_orig = compiler->getCachedFwInterface( rule->getInt("nat_iface_orig") );
Interface *iface_trn = compiler->getCachedFwInterface( rule->getInt("nat_iface_trn" ) );
Interface *iface_orig = Interface::cast(
compiler->dbcopy->findInIndex(rule->getInt("nat_iface_orig")));
Interface *iface_trn = Interface::cast(
compiler->dbcopy->findInIndex(rule->getInt("nat_iface_trn")));
switch (rule->getRuleType())
{

0
src/iosacl/OSConfigurator_ios.cpp → src/cisco_lib/OSConfigurator_ios.cpp
View File

4
src/iosacl/OSConfigurator_ios.h → src/cisco_lib/OSConfigurator_ios.h
View File

@ -45,9 +45,9 @@ namespace fwcompiler {
virtual ~OSConfigurator_ios() {};
OSConfigurator_ios(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname,
libfwbuilder::Firewall *fw,
bool ipv6_policy) :
OSConfigurator(_db, fwname, ipv6_policy) {}
OSConfigurator(_db, fw, ipv6_policy) {}
virtual int prolog();

8
src/pix/OSConfigurator_pix_os.cpp → src/cisco_lib/OSConfigurator_pix_os.cpp
View File

@ -200,7 +200,7 @@ string OSConfigurator_pix_os::_printLogging()
if (iface_id == -1)
abort("Log server " + syslog_host +
" does not belong to any known network zone");
Interface *syslog_iface = getCachedFwInterface(iface_id);
Interface *syslog_iface = Interface::cast(dbcopy->findInIndex(iface_id));
str << endl;
@ -267,7 +267,7 @@ string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,
if (iface_id == -1)
abort(string("SNMP server ") + srv +
" does not belong to any known network zone");
Interface *snmp_iface = getCachedFwInterface(iface_id);
Interface *snmp_iface = Interface::cast(dbcopy->findInIndex(iface_id));
str << "snmp-server host " << snmp_iface->getLabel() << " " << srv;
switch (poll_trap)
{
@ -356,7 +356,7 @@ string OSConfigurator_pix_os::_printNTPServer(const std::string &srv,bool pref)
int iface_id=helper.findInterfaceByNetzone(&srv_addr);
if (iface_id == -1)
abort("NTP server "+srv+" does not belong to any known network zone");
Interface *ntp_iface = getCachedFwInterface(iface_id);
Interface *ntp_iface = Interface::cast(dbcopy->findInIndex(iface_id));
str << "ntp server " << srv << " source " << ntp_iface->getLabel();
if (pref) str << " prefer";
str << endl;
@ -515,7 +515,7 @@ string OSConfigurator_pix_os::_printServiceTimeout(
return res.str();
}
string OSConfigurator_pix_os::_printTimeouts()
string OSConfigurator_pix_os::_printTimeouts()
{
ostringstream res;

4
src/pix/OSConfigurator_pix_os.h → src/cisco_lib/OSConfigurator_pix_os.h
View File

@ -60,9 +60,9 @@ namespace fwcompiler {
virtual ~OSConfigurator_pix_os() {};
OSConfigurator_pix_os(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname,
libfwbuilder::Firewall *fw,
bool ipv6_policy) :
OSConfigurator(_db, fwname, ipv6_policy) {}
OSConfigurator(_db, fw, ipv6_policy) {}
virtual int prolog();

0
src/pix/OSConfigurator_pix_os_fixups.cpp → src/cisco_lib/OSConfigurator_pix_os_fixups.cpp
View File

0
src/pix/PIXObjectGroup.cpp → src/cisco_lib/PIXObjectGroup.cpp
View File

0
src/pix/PIXObjectGroup.h → src/cisco_lib/PIXObjectGroup.h
View File

43
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -61,10 +61,10 @@ using namespace std;
string PolicyCompiler_cisco::myPlatformName() { return ""; }
PolicyCompiler_cisco::PolicyCompiler_cisco(FWObjectDatabase *_db,
const std::string &fwname,
Firewall *fw,
bool ipv6_policy,
OSConfigurator *_oscnf) :
PolicyCompiler(_db, fwname, ipv6_policy, _oscnf) , helper(this)
PolicyCompiler(_db, fw, ipv6_policy, _oscnf) , helper(this)
{
}
@ -88,13 +88,17 @@ string PolicyCompiler_cisco::createRuleLabel(const string &txt,
string PolicyCompiler_cisco::debugPrintRule(Rule *r)
{
ostringstream str;
PolicyRule *rule=PolicyRule::cast(r);
Interface *rule_iface = getCachedFwInterface(rule->getInterfaceId());
string iname=(rule_iface!=NULL)?rule_iface->getName():"";
FWObject *rule_iface = dbcopy->findInIndex(rule->getInterfaceId());
string iname = (rule_iface!=NULL)?rule_iface->getName():"";
string dir= rule->getDirectionAsString();
return PolicyCompiler::debugPrintRule(rule)+
" "+dir+" "+iname+" "+rule->getStr("acl");
str << PolicyCompiler::debugPrintRule(rule) <<
" " << dir << " " << iname << " " << rule->getStr("acl") <<
" intfId=" << rule->getInterfaceId() <<
" intfstr=" << rule->getInterfaceStr();
return str.str();
}
@ -111,14 +115,12 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
ssh->setDstRangeStart(22);
ssh->setDstRangeEnd(22);
dbcopy->add(ssh,false);
cacheObj(ssh); // to keep cache consistent
Network *mgmt_workstation = dbcopy->createNetwork();
mgmt_workstation->setAddressNetmask(
getCachedFwOpt()->getStr("mgmt_addr"));
dbcopy->add(mgmt_workstation, false);
cacheObj(mgmt_workstation); // to keep cache consistent
r= dbcopy->createPolicyRule();
temp_ruleset->add(r);
@ -126,7 +128,7 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
r->setLogging(false);
r->setDirection(PolicyRule::Inbound);
r->setPosition(-1);
r->setComment(" backup ssh access rule ");
// r->setComment(" backup ssh access rule ");
r->setHidden(true);
r->setFallback(false);
r->setLabel("backup ssh access rule");
@ -437,7 +439,7 @@ bool PolicyCompiler_cisco::specialCaseWithDynInterface::dropDynamicInterface(
PolicyRule *rule, PolicyRule::Direction cmp_dir, RuleElement *re)
{
PolicyRule::Direction dir=rule->getDirection();
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
list<FWObject*> cl;
for (list<FWObject*>::iterator i1=re->begin(); i1!=re->end(); ++i1)
@ -570,7 +572,7 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
bool PolicyCompiler_cisco::replaceFWinSRCInterfacePolicy::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
if (rule_iface!=NULL && rule->getDirection()==PolicyRule::Outbound)
{
@ -590,7 +592,7 @@ bool PolicyCompiler_cisco::replaceFWinSRCInterfacePolicy::processNext()
bool PolicyCompiler_cisco::replaceFWinDSTInterfacePolicy::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
if (rule_iface!=NULL && rule->getDirection()==PolicyRule::Inbound)
{
@ -615,7 +617,7 @@ bool PolicyCompiler_cisco::replaceFWinDSTPolicy::processNext()
{
Helper helper(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
if (rule_iface==NULL)
{
@ -628,7 +630,7 @@ bool PolicyCompiler_cisco::replaceFWinDSTPolicy::processNext()
{
int iface_id = helper.findInterfaceByNetzone(
compiler->getFirstSrc(rule));
Interface *iface = compiler->getCachedFwInterface(iface_id);
FWObject *iface = compiler->dbcopy->findInIndex(iface_id);
dst->clearChildren();
dst->addRef(iface);
@ -636,10 +638,8 @@ bool PolicyCompiler_cisco::replaceFWinDSTPolicy::processNext()
{
ostringstream str;
str << "Address " << addr
<< " does not match address or network zone of any interface. Rule "
<< rule->getLabel()
<< endl;
compiler->abort(str.str());
<< " does not match address or network zone of any interface." ;
compiler->abort(rule, str.str());
}
}
}
@ -710,7 +710,7 @@ bool PolicyCompiler_cisco::splitByNetworkZonesForRE::processNext()
compiler->fw->getStr("platform"), "network_zones");
if (supports_network_zones)
compiler->warning(err + " Rule " + rule->getLabel());
compiler->warning(rule, err);
FWObjectTypedChildIterator i =
compiler->fw->findByType(Interface::TYPENAME);
@ -796,7 +796,10 @@ bool PolicyCompiler_cisco::processMultiAddressObjectsInRE::processNext()
if (FWReference::cast(o)!=NULL) o = FWReference::cast(o)->getPointer();
MultiAddress *atrt = MultiAddress::cast(o);
if (atrt!=NULL && atrt->isRunTime())
compiler->abort("Run-time AddressTable and DNSName objects are not supported. Rule " + rule->getLabel());
compiler->abort(
rule,
"Run-time AddressTable and DNSName objects are not supported.");
}
tmp_queue.push_back(rule);

2
src/cisco_lib/PolicyCompiler_cisco.h
View File

@ -434,7 +434,7 @@ protected:
public:
PolicyCompiler_cisco(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname,
libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf);
virtual ~PolicyCompiler_cisco() {}

14
src/cisco_lib/PolicyCompiler_cisco_acls.cpp
View File

@ -209,12 +209,12 @@ bool PolicyCompiler_cisco::pickACL::processNext()
compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *rule_iface = compiler->getCachedFwInterface(
rule->getInterfaceId());
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInterfaceId()));
if(rule_iface==NULL)
{
compiler->abort("Missing interface assignment for rule " +
rule->getLabel());
compiler->abort(
rule, "Missing interface assignment");
}
/*
@ -240,7 +240,11 @@ bool PolicyCompiler_cisco::pickACL::processNext()
}
if (rule->getDirection() == PolicyRule::Outbound && !generate_out_acl)
compiler->abort("Rule with direction 'Outbound' requires outbound ACL but option 'Generate outbound access lists' is OFF. Rule " + rule->getLabel());
compiler->abort(
rule,
"Rule with direction 'Outbound' requires outbound ACL "
"but option 'Generate outbound access lists' is OFF.");
/* The choice of the ACL name depends on whether this is a named
* acl or not. If not, should use unique numbers. Also need to

37
src/iosacl/PolicyCompiler_iosacl.cpp → src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -61,10 +61,10 @@ using namespace std;
string PolicyCompiler_iosacl::myPlatformName() { return "iosacl"; }
PolicyCompiler_iosacl::PolicyCompiler_iosacl(FWObjectDatabase *_db,
const std::string &fwname,
Firewall *fw,
bool ipv6_policy,
OSConfigurator *_oscnf) :
PolicyCompiler_cisco(_db, fwname, ipv6_policy, _oscnf)
PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf)
{
resetinbound=false;
fragguard=false;
@ -82,7 +82,7 @@ int PolicyCompiler_iosacl::prolog()
object_groups = new Group();
dbcopy->add( object_groups );
output << "!################" << endl;
// output << "!################" << endl;
return PolicyCompiler::prolog();
}
@ -98,7 +98,9 @@ bool PolicyCompiler_iosacl::checkForDynamicInterface::findDynamicInterface(
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Interface *iface=Interface::cast(obj);
if (iface!=NULL && iface->isDyn())
compiler->abort("Dynamic interface can not be used in the IOS ACL rules. Rule "+rule->getLabel());
compiler->abort(
rule,
"Dynamic interface can not be used in the IOS ACL rules.");
}
return true;
@ -126,14 +128,20 @@ bool PolicyCompiler_iosacl::SpecialServices::processNext()
if (s->getBool("rr") ||
s->getBool("ssrr") ||
s->getBool("ts") )
compiler->abort("IOS ACL does not support checking for IP options in ACLs. Rule: "+rule->getLabel());
compiler->abort(
rule,
"IOS ACL does not support checking for IP options in ACLs.");
}
if (TCPService::cast(s)!=NULL) {
if (s->getBool("ack_flag") ||
s->getBool("fin_flag") ||
s->getBool("rst_flag") ||
s->getBool("syn_flag") )
compiler->abort("IOS ACL does not support checking for TCP options in ACLs. Rule: "+rule->getLabel());
compiler->abort(
rule,
"IOS ACL does not support checking for TCP options in ACLs.");
}
tmp_queue.push_back(rule);
@ -142,10 +150,9 @@ bool PolicyCompiler_iosacl::SpecialServices::processNext()
void PolicyCompiler_iosacl::compile()
{
cout << endl;
cout << " Compiling ruleset " << getSourceRuleSet()->getName();
if (ipv6) cout << ", IPv6";
cout << endl << flush;
string banner = " Compiling ruleset " + getSourceRuleSet()->getName();
if (ipv6) banner += ", IPv6";
info(banner);
try
{
@ -156,7 +163,8 @@ void PolicyCompiler_iosacl::compile()
addDefaultPolicyRule();
if ( fw->getOptionsObject()->getBool ("check_shading") )
if ( fw->getOptionsObject()->getBool ("check_shading") &&
! inSingleRuleCompileMode())
{
add( new Begin("Detecting rule shadowing" ) );
add( new printTotalNumberOfRules());
@ -193,6 +201,8 @@ void PolicyCompiler_iosacl::compile()
add( new Begin (" Start processing rules" ) );
add( new printTotalNumberOfRules ( ) );
add( new singleRuleFilter());
add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ) );
add( new recursiveGroupsInDst( "check for recursive groups in DST" ) );
add( new recursiveGroupsInSrv( "check for recursive groups in SRV" ) );
@ -289,7 +299,8 @@ void PolicyCompiler_iosacl::compile()
runRuleProcessors();
} catch (FWException &ex) {
} catch (FWException &ex)
{
error(ex.toString());
exit(1);
}
@ -330,7 +341,7 @@ void PolicyCompiler_iosacl::epilog()
if ( fw->getOptionsObject()->getBool("iosacl_regroup_commands") )
{
cout << " Regrouping commands \n" << flush;
info(" Regrouping commands");
regroup();
}
}

2
src/iosacl/PolicyCompiler_iosacl.h → src/cisco_lib/PolicyCompiler_iosacl.h
View File

@ -252,7 +252,7 @@ namespace fwcompiler {
public:
PolicyCompiler_iosacl(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname,
libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf);
virtual ~PolicyCompiler_iosacl() {}

16
src/iosacl/PolicyCompiler_iosacl_writers.cpp → src/cisco_lib/PolicyCompiler_iosacl_writers.cpp
View File

@ -60,6 +60,7 @@
#include <assert.h>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
@ -198,7 +199,7 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
string rl=rule->getLabel();
if (write_comments)
if (write_comments && !compiler->inSingleRuleCompileMode())
{
if (rl!=current_rule_label1)
{
@ -219,6 +220,9 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
}
}
string err = rule->getStr(".error_msg");
if (!err.empty()) ruleout << "! " << err << endl;
/*
* all three rule elements contain exactly one object, which can
* be either group (in case processor CreateObjectGroups created
@ -280,7 +284,9 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
// aclstr << endl;
if (compiler->fw->getOptionsObject()->getBool("iosacl_use_acl_remarks"))
ruleout << acl->addRemark( rule->getLabel() );
{
ruleout << acl->addRemark(rule->getLabel(), rule->getComment());
}
ruleout << acl->addLine(aclstr.str());
@ -355,8 +361,8 @@ string PolicyCompiler_iosacl::PrintRule::_printIPServiceOptions(PolicyRule *r)
{
if (ip->getBool("lsrr") || ip->getBool("ssrr") || ip->getBool("rr"))
compiler->abort(
string("Source routing options match is not supported. Rule ") +
r->getLabel());
r,
"Source routing options match is not supported.");
if (srv->getBool("fragm") || srv->getBool("short_fragm"))
return "fragments ";
@ -395,7 +401,7 @@ string PolicyCompiler_iosacl::PrintRule::_printDstService(Service *srv)
if (TCPService::isA(srv) && srv->getBool("established"))
str << "established ";
if (ICMPService::isA(srv) && srv->getInt("type")!=-1)
if ((ICMPService::isA(srv) || ICMP6Service::isA(srv)) && srv->getInt("type")!=-1)
str << srv->getStr("type") << " ";
if (CustomService::isA(srv))

200
src/pix/PolicyCompiler_pix.cpp → src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -65,11 +65,11 @@ using namespace std;
string PolicyCompiler_pix::myPlatformName() { return "pix"; }
PolicyCompiler_pix::PolicyCompiler_pix(FWObjectDatabase *_db,
const std::string &fwname,
Firewall *fw,
bool ipv6_policy,
OSConfigurator *_oscnf,
NATCompiler_pix *_natcmp) :
PolicyCompiler_cisco(_db, fwname, ipv6_policy, _oscnf)
PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf)
{
natcmp=_natcmp;
resetinbound=false;
@ -88,93 +88,99 @@ int PolicyCompiler_pix::prolog()
object_groups=new Group();
dbcopy->add( object_groups );
output << "!################" << endl;
if (platform=="fwsm")
if (!inSingleRuleCompileMode())
{
if (fw->getOptionsObject()->getBool("pix_use_manual_commit") )
output << "access-list mode manual" << endl;
else
output << "access-list mode auto" << endl;
}
output << "!################" << endl;
if ( fw->getOptionsObject()->getBool("pix_acl_substitution") )
{
/* Generate short temporary ACL and assign it to all
* interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500)
as well as ssh from given subnet to any.
*/
string temp_acl = "tmp_acl";
string temp_acl_addr = fw->getOptionsObject()->getStr("pix_acl_temp_addr");
if (temp_acl_addr.empty())
if (platform=="fwsm")
{
abort("Missing address for management host or subnet for temporary ACL.\nPlease enter it in the tab 'Script options' in 'Firewall Settings' dialog");
if (fw->getOptionsObject()->getBool("pix_use_manual_commit") )
output << "access-list mode manual" << endl;
else
output << "access-list mode auto" << endl;
}
string::size_type slash_idx = temp_acl_addr.find('/');
string addr = temp_acl_addr;
string netmask = "255.255.255.255";
if (slash_idx!=string::npos)
if ( fw->getOptionsObject()->getBool("pix_acl_substitution") )
{
addr = temp_acl_addr.substr(0,slash_idx);
netmask = temp_acl_addr.substr(slash_idx+1);
/* Generate short temporary ACL and assign it to all
* interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500)
as well as ssh from given subnet to any.
*/
string temp_acl = "tmp_acl";
string temp_acl_addr = fw->getOptionsObject()->getStr("pix_acl_temp_addr");
if (temp_acl_addr.empty())
{
abort(
"Missing address for management host or subnet for "
"temporary ACL. Enter it in the tab 'Script "
"options' in 'Firewall Settings' dialog");
}
string::size_type slash_idx = temp_acl_addr.find('/');
string addr = temp_acl_addr;
string netmask = "255.255.255.255";
if (slash_idx!=string::npos)
{
addr = temp_acl_addr.substr(0,slash_idx);
netmask = temp_acl_addr.substr(slash_idx+1);
try
{
if (netmask.find(".")!=string::npos)
{
InetAddr nm(netmask);
nm.isAny(); // to avoid warning abt unused var
} else
{
int nm_length;
istringstream str(netmask);
str >> nm_length;
InetAddr nm(nm_length);
netmask = nm.toString();
}
} catch(FWException &ex)
{
abort("Invalid netmask for management subnet: '"+netmask+"'");
}
}
try
{
if (netmask.find(".")!=string::npos)
{
InetAddr nm(netmask);
nm.isAny(); // to avoid warning abt unused var
} else
{
int nm_length;
istringstream str(netmask);
str >> nm_length;
InetAddr nm(nm_length);
netmask = nm.toString();
}
InetAddr(addr);
} catch(FWException &ex)
{
abort("Invalid netmask for management subnet: '"+netmask+"'");
abort("Invalid address for management subnet: '"+addr+"'");
}
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_acl");
output << endl;
output << clearACLcmd << " " << temp_acl << endl;
output << "access-list " << temp_acl
<< " permit ip "
<< addr << " " << netmask
<< " any "
<< endl;
output << "access-list " << temp_acl
<< " deny ip any any "
<< endl;
if (platform=="fwsm" &&
fw->getOptionsObject()->getBool("pix_use_manual_commit") )
output << "access-list commit" << endl;
output << endl;
output << "access-group " << temp_acl
<< " in interface outside" << endl;
output << "access-group " << temp_acl
<< " in interface inside" << endl;
output << endl;
}
try
{
InetAddr(addr);
} catch(FWException &ex)
{
abort("Invalid address for management subnet: '"+addr+"'");
}
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_acl");
output << endl;
output << clearACLcmd << " " << temp_acl << endl;
output << "access-list " << temp_acl
<< " permit ip "
<< addr << " " << netmask
<< " any "
<< endl;
output << "access-list " << temp_acl
<< " deny ip any any "
<< endl;
if (platform=="fwsm" &&
fw->getOptionsObject()->getBool("pix_use_manual_commit") )
output << "access-list commit" << endl;
output << endl;
output << "access-group " << temp_acl
<< " in interface outside" << endl;
output << "access-group " << temp_acl
<< " in interface inside" << endl;
output << endl;
}
return PolicyCompiler::prolog();
@ -191,7 +197,10 @@ bool PolicyCompiler_pix::checkVersionAndDynamicInterface::findDynamicInterface(
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Interface *iface=Interface::cast(obj);
if (iface!=NULL && iface->isDyn() && (vers=="6.1" || vers=="6.2"))
compiler->abort("Dynamic interface can be used in the policy rule only in v6.3 or later. Rule "+rule->getLabel());
compiler->abort(
rule,
"Dynamic interface can be used in the policy rule only "
"in v6.3 or later.");
}
return true;
@ -238,14 +247,20 @@ bool PolicyCompiler_pix::SpecialServices::processNext()
if (s->getBool("rr") ||
s->getBool("ssrr") ||
s->getBool("ts") )
compiler->abort("PIX does not support checking for IP options in ACLs. Rule: "+rule->getLabel());
compiler->abort(
rule,
"PIX does not support checking for IP options in ACLs.");
}
if (TCPService::cast(s)!=NULL) {
if (s->getBool("ack_flag") ||
s->getBool("fin_flag") ||
s->getBool("rst_flag") ||
s->getBool("syn_flag") )
compiler->abort("PIX does not support checking for TCP options in ACLs. Rule: "+rule->getLabel());
compiler->abort(
rule,
"PIX does not support checking for TCP options in ACLs.");
}
tmp_queue.push_back(rule);
@ -332,7 +347,7 @@ bool PolicyCompiler_pix::replaceNATtedObjects::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
// string rule_iface_id=rule->getInterfaceId();
// Address *src=compiler->getFirstSrc(rule);
@ -551,9 +566,9 @@ PIXGroup* PolicyCompiler_pix::CreateObjectGroups::findObjectGroup(RuleElement *r
bool PolicyCompiler_pix::CreateObjectGroups::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
assert(rule_iface);
RuleElement *re=RuleElement::cast(rule->getFirstByType(re_type));
@ -582,7 +597,6 @@ bool PolicyCompiler_pix::CreateObjectGroups::processNext()
rule_iface->getLabel()+"."+rule->getUniqueId()+"."+name_suffix);
pix_comp->object_groups->add(obj_group);
pix_comp->cacheObj(obj_group);
for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
@ -604,10 +618,9 @@ bool PolicyCompiler_pix::CreateObjectGroups::processNext()
void PolicyCompiler_pix::compile()
{
cout << endl;
cout << " Compiling ruleset " << getSourceRuleSet()->getName();
if (ipv6) cout << ", IPv6";
cout << endl << flush;
string banner = " Compiling ruleset " + getSourceRuleSet()->getName();
if (ipv6) banner += ", IPv6";
info(banner);
try
{
@ -630,7 +643,8 @@ void PolicyCompiler_pix::compile()
addDefaultPolicyRule();
if ( fw->getOptionsObject()->getBool ("check_shading"))
if ( fw->getOptionsObject()->getBool ("check_shading") &&
! inSingleRuleCompileMode())
{
add( new Begin ("Detecting rule shadowing" ));
add( new printTotalNumberOfRules ( ));
@ -659,6 +673,9 @@ void PolicyCompiler_pix::compile()
add( new Begin (" Start processing rules" ));
add( new printTotalNumberOfRules ( ));
add( new singleRuleFilter());
add( new RejectAction ("check for action 'Reject'" ));
add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ));
@ -803,7 +820,8 @@ void PolicyCompiler_pix::compile()
*/
runRuleProcessors();
} catch (FWException &ex) {
} catch (FWException &ex)
{
error(ex.toString());
exit(1);
}
@ -844,7 +862,7 @@ void PolicyCompiler_pix::epilog()
if ( fw->getOptionsObject()->getBool("pix_regroup_commands"))
{
cout << " Regrouping commands \n" << flush;
info(" Regrouping commands");
regroup();
}
}

2
src/pix/PolicyCompiler_pix.h → src/cisco_lib/PolicyCompiler_pix.h
View File

@ -310,7 +310,7 @@ namespace fwcompiler {
public:
PolicyCompiler_pix(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname,
libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf,
NATCompiler_pix *_natcmp);

24
src/pix/PolicyCompiler_pix_v6_acls.cpp → src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp
View File

@ -84,7 +84,7 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
if (interface_id==-1 && !icmp_cmd && !ssh_telnet_cmd && (
rule->getDirection()==PolicyRule::Inbound ||
rule->getDirection()==PolicyRule::Outbound)
) compiler->abort(string("Direction set without interface in rule ")+rule->getLabel());
) compiler->abort(rule, "Direction set without interface");
return true;
}
@ -104,7 +104,7 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
bool PolicyCompiler_pix::SplitDirection_v6::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
if (rule->getDirection()==PolicyRule::Both)
{
@ -173,7 +173,7 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
{
Helper helper(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
if (rule->getDirection()==PolicyRule::Outbound && rule_iface!=NULL)
{
@ -231,10 +231,14 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
<< "Address " << addr
<< " does not match address or network zone of any interface"
<< endl;
compiler->abort(str.str());
compiler->abort(rule, str.str());
}
} else
compiler->abort("Outbound ACLs are not supported and emulation is not activated: Rule "+rule->getLabel());
compiler->abort(
rule,
"Outbound ACLs are not supported and emulation is "
"not activated");
} else
tmp_queue.push_back(rule);
@ -322,7 +326,7 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
<< "Address " << addr
<< " does not match address or network zone of any interface"
<< endl;
compiler->abort(str.str());
compiler->abort(rule, str.str());
}
} else {
@ -338,16 +342,18 @@ bool PolicyCompiler_pix::pickACL_v6::processNext()
{
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
if(rule_iface==NULL)
{
compiler->abort("Missing interface assignment for rule "+rule->getLabel());
compiler->abort(
rule, "Missing interface assignment");
}
string acl_name= rule_iface->getLabel() + "_acl_in";
rule->setStr("acl",acl_name);
ciscoACL *acl = new ciscoACL(acl_name,rule_iface, "in");
ciscoACL *acl = new ciscoACL(acl_name, rule_iface, "in");
pix_comp->acls[acl_name] = acl;
acl->setWorkName(acl_name);

63
src/pix/PolicyCompiler_pix_writers.cpp → src/cisco_lib/PolicyCompiler_pix_writers.cpp
View File

@ -89,29 +89,34 @@ bool PolicyCompiler_pix::PrintObjectGroupsAndClearCommands::processNext()
slurp();
if (tmp_queue.size()==0) return false;
if ( compiler->fw->getOptionsObject()->getBool("pix_acl_basic") )
if (!compiler->inSingleRuleCompileMode())
{
compiler->output << clearACLcmd << endl;
compiler->output << clearOGcmd << endl;
}
// No need to output "clear" commands in single rule compile mode
if (compiler->fw->getOptionsObject()->getBool("pix_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=pix_comp->acls.begin();
i!=pix_comp->acls.end(); ++i)
if ( compiler->fw->getOptionsObject()->getBool("pix_acl_basic") )
{
ciscoACL *acl=(*i).second;
compiler->output << clearACLcmd << " " << acl->workName() << endl;
compiler->output << clearACLcmd << endl;
compiler->output << clearOGcmd << endl;
}
compiler->output << clearOGcmd << endl;
compiler->output << endl;
}
if ( !compiler->fw->getOptionsObject()->getBool("pix_acl_no_clear") )
{
compiler->output << clearICMPcmd << endl;
compiler->output << clearTelnetcmd << endl;
compiler->output << clearSSHcmd << endl;
if (compiler->fw->getOptionsObject()->getBool("pix_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=pix_comp->acls.begin();
i!=pix_comp->acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
compiler->output << clearACLcmd << " " << acl->workName() << endl;
}
compiler->output << clearOGcmd << endl;
compiler->output << endl;
}
if ( !compiler->fw->getOptionsObject()->getBool("pix_acl_no_clear") )
{
compiler->output << clearICMPcmd << endl;
compiler->output << clearTelnetcmd << endl;
compiler->output << clearSSHcmd << endl;
}
}
for (FWObject::iterator i=pix_comp->object_groups->begin();
@ -146,7 +151,8 @@ bool PolicyCompiler_pix::PrintObjectGroupsAndClearCommands::processNext()
pix_comp->output << "object-group service "
<< og->getName() << " udp" << endl;
break;
default: compiler->abort("Unknown object group");
default:
compiler->abort("Unknown object group type");
}
for (FWObject::iterator i1=og->begin(); i1!=og->end(); ++i1)
@ -218,7 +224,7 @@ bool PolicyCompiler_pix::PrintObjectGroupsAndClearCommands::processNext()
break;
}
default:
compiler->abort("Unknown object group");
compiler->abort("Unknown object group type");
}
}
pix_comp->output << " exit" << endl << endl;
@ -420,7 +426,7 @@ string PolicyCompiler_pix::PrintRule::_printICMPCommand(PolicyRule *rule)
FWObject *srv=srvrel->front();
if (FWReference::cast(srv)!=NULL) srv=FWReference::cast(srv)->getPointer();
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
assert(rule_iface);
if ( PIXGroup::cast(srv)!=NULL &&
@ -473,7 +479,7 @@ string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule
RuleElementSrc *rel=rule->getSrc();
Service *srv=compiler->getFirstSrv(rule);
Interface *rule_iface = compiler->getCachedFwInterface(rule->getInterfaceId());
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
assert(rule_iface);
port=TCPUDPService::cast(srv)->getDstRangeStart();
@ -493,13 +499,15 @@ string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule
o1=FWReference::cast(o1)->getPointer();
Address *a=Address::cast(o1);
assert(a!=NULL);
str << _printSingleSSHTelnetCommand(port,a,rule_iface->getLabel());
str << _printSingleSSHTelnetCommand(
port, a, rule_iface->getLabel());
}
} else
{
Address *a=Address::cast(o);
assert(a!=NULL);
str << _printSingleSSHTelnetCommand(port,a,rule_iface->getLabel());
str << _printSingleSSHTelnetCommand(
port, a, rule_iface->getLabel());
}
}
@ -550,7 +558,7 @@ bool PolicyCompiler_pix::PrintRule::processNext()
string rl=rule->getLabel();
if (write_comments)
if (write_comments && !compiler->inSingleRuleCompileMode())
{
if (rl!=current_rule_label1)
{
@ -573,6 +581,9 @@ bool PolicyCompiler_pix::PrintRule::processNext()
compiler->output << comment.str();
string err = rule->getStr(".error_msg");
if (!err.empty()) compiler->output << "! " << err << endl;
if (rule->getBool("icmp_cmd"))
{
compiler->output << _printICMPCommand(rule);
@ -635,7 +646,7 @@ bool PolicyCompiler_pix::PrintRule::processNext()
if (compiler->fw->getOptionsObject()->getBool("pix_use_acl_remarks"))
{
compiler->output << acl->addRemark( rule->getLabel() );
compiler->output << acl->addRemark(rule->getLabel(), rule->getComment());
}
/*

4
src/cisco_lib/RoutingCompiler_cisco.cpp
View File

@ -84,8 +84,8 @@ bool RoutingCompiler_cisco::eliminateDuplicateRules::processNext()
msg = "Two of the sub rules created from the gui routing rules " +
rules_it->second + " and " + rule->getLabel() +
" are identical, skipping the second. " +
"Please revise them to avoid this warning";
compiler->warning( msg.c_str() );
"Revise them to avoid this warning";
compiler->warning(rule, msg.c_str() );
return true;
}

4
src/cisco_lib/RoutingCompiler_cisco.h
View File

@ -114,9 +114,9 @@ namespace fwcompiler
RoutingCompiler_cisco::PrintRule *printRule;
RoutingCompiler_cisco(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname, bool ipv6_policy,
libfwbuilder::Firewall *fw, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
RoutingCompiler(_db, fwname, ipv6_policy, _oscnf) {}
RoutingCompiler(_db, fw, ipv6_policy, _oscnf) {}
virtual int prolog();
virtual void compile();

10
src/iosacl/RoutingCompiler_iosacl.cpp → src/cisco_lib/RoutingCompiler_iosacl.cpp
View File

@ -90,7 +90,7 @@ bool RoutingCompiler_iosacl::ExpandMultipleAddressesExceptInterface::processNext
Address *gtw = Address::cast(
FWReference::cast(gtwrel->front())->getPointer());
if (gtw == NULL)
compiler->abort("Broken GTW in " + rule->getLabel());
compiler->abort(rule, "Broken GTW");
if (Interface::isA(gtw) && gtw->isChildOf(compiler->fw)) return true;
compiler->_expandAddr(rule, gtwrel);
return true;
@ -104,8 +104,7 @@ void RoutingCompiler_iosacl::compile()
{
printRule = new RoutingCompiler_iosacl::PrintRule("");
cout << " Compiling routing rules for "
<< fw->getName() << " ..." << endl << flush;
info(" Compiling routing rules for " + fw->getName());
try
{
@ -114,6 +113,8 @@ void RoutingCompiler_iosacl::compile()
add(new RoutingCompiler::Begin());
add(new printTotalNumberOfRules());
add( new singleRuleFilter());
add(new recursiveGroupsInRDst("Check for recursive Groups in RDst"));
add(new emptyGroupsInRDst("Check for empty Groups in RDst"));
add(new emptyRDstAndRItf("Check if RDst and RItf are both empty"));
@ -153,7 +154,8 @@ void RoutingCompiler_iosacl::compile()
runRuleProcessors();
} catch (FWException &ex) {
} catch (FWException &ex)
{
error(ex.toString());
exit(1);
}

4
src/iosacl/RoutingCompiler_iosacl.h → src/cisco_lib/RoutingCompiler_iosacl.h
View File

@ -73,9 +73,9 @@ namespace fwcompiler
public:
RoutingCompiler_iosacl(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname, bool ipv6_policy,
libfwbuilder::Firewall *fw, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
RoutingCompiler_cisco(_db, fwname, ipv6_policy, _oscnf) {};
RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {};
virtual int prolog();
virtual void compile();

20
src/iosacl/RoutingCompiler_iosacl_writers.cpp → src/cisco_lib/RoutingCompiler_iosacl_writers.cpp
View File

@ -77,18 +77,18 @@ bool RoutingCompiler_iosacl::PrintRule::processNext()
string::size_type c1, c2;
c1 = 0;
if (rl != current_rule_label)
if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label)
{
compiler->output << "! " << endl;
compiler->output << "! Rule " << rl << endl;
compiler->output << "! " << endl;
compiler->output << "! \"Routing rule " << rl << "\"" << endl;
compiler->output << "! " << endl;
compiler->output << "! " << endl;
compiler->output << "! Rule " << rl << endl;
compiler->output << "! " << endl;
compiler->output << "! \"Routing rule " << rl << "\"" << endl;
compiler->output << "! " << endl;
}
if( rule->getRuleType() != RoutingRule::MultiPath )
{
if (rl != current_rule_label)
if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label)
{
while ( (c2 = comm.find('\n',c1)) != string::npos )
{
@ -96,10 +96,8 @@ bool RoutingCompiler_iosacl::PrintRule::processNext()
c1 = c2 + 1;
}
compiler->output << "! " << comm.substr(c1) << endl;
compiler->output << "! " << endl;
current_rule_label=rl;
current_rule_label = rl;
}
string command_line = RoutingRuleToString(rule);

8
src/pix/RoutingCompiler_pix.cpp → src/cisco_lib/RoutingCompiler_pix.cpp
View File

@ -68,8 +68,7 @@ void RoutingCompiler_pix::compile()
{
printRule = new RoutingCompiler_pix::PrintRule("");
cout << " Compiling routing rules for "
<< fw->getName() << " ..." << endl << flush;
info(" Compiling routing rules for " + fw->getName());
try
{
@ -78,6 +77,8 @@ void RoutingCompiler_pix::compile()
add(new RoutingCompiler::Begin());
add(new printTotalNumberOfRules());
add( new singleRuleFilter());
add(new recursiveGroupsInRDst("Check for recursive Groups in RDst"));
add(new emptyGroupsInRDst("Check for empty Groups in RDst"));
add(new emptyRDstAndRItf("Check if RDst and RItf are both empty"));
@ -115,7 +116,8 @@ void RoutingCompiler_pix::compile()
runRuleProcessors();
} catch (FWException &ex) {
} catch (FWException &ex)
{
error(ex.toString());
exit(1);
}

4
src/pix/RoutingCompiler_pix.h → src/cisco_lib/RoutingCompiler_pix.h
View File

@ -52,9 +52,9 @@ namespace fwcompiler {
public:
RoutingCompiler_pix(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname, bool ipv6_policy,
libfwbuilder::Firewall *fw, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
RoutingCompiler_cisco(_db, fwname, ipv6_policy, _oscnf) {};
RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {};
virtual int prolog();
virtual void compile();

16
src/pix/RoutingCompiler_pix_writers.cpp → src/cisco_lib/RoutingCompiler_pix_writers.cpp
View File

@ -69,18 +69,18 @@ bool RoutingCompiler_pix::PrintRule::processNext()
string::size_type c1, c2;
c1 = 0;
if (rl != current_rule_label)
if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label)
{
compiler->output << "! " << endl;
compiler->output << "! Rule " << rl << endl;
compiler->output << "! " << endl;
compiler->output << "! \"Routing rule " << rl << "\"" << endl;
compiler->output << "! " << endl;
compiler->output << "! " << endl;
compiler->output << "! Rule " << rl << endl;
compiler->output << "! " << endl;
compiler->output << "! \"Routing rule " << rl << "\"" << endl;
compiler->output << "! " << endl;
}
if( rule->getRuleType() != RoutingRule::MultiPath )
{
if (rl != current_rule_label)
if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label)
{
while ( (c2 = comm.find('\n',c1)) != string::npos )
{
@ -88,9 +88,7 @@ bool RoutingCompiler_pix::PrintRule::processNext()
c1 = c2 + 1;
}
compiler->output << "! " << comm.substr(c1) << endl;
compiler->output << "! " << endl;
current_rule_label=rl;
}

43
src/cisco_lib/cisco_lib.pro
View File

@ -9,16 +9,51 @@ SOURCES = PolicyCompiler_cisco.cpp \
RoutingCompiler_cisco.cpp \
RoutingCompiler_cisco_writers.cpp \
ACL.cpp \
Helper.cpp
Helper.cpp \
OSConfigurator_ios.cpp \
CompilerDriver_iosacl.cpp \
CompilerDriver_iosacl_run.cpp \
PolicyCompiler_iosacl.cpp \
PolicyCompiler_iosacl_writers.cpp \
RoutingCompiler_iosacl.cpp \
RoutingCompiler_iosacl_writers.cpp \
CompilerDriver_pix.cpp \
CompilerDriver_pix_run.cpp \
NATCompiler_pix.cpp \
NATCompiler_pix_writers.cpp \
OSConfigurator_pix_os.cpp \
OSConfigurator_pix_os_fixups.cpp \
PIXObjectGroup.cpp \
PolicyCompiler_pix.cpp \
PolicyCompiler_pix_writers.cpp \
PolicyCompiler_pix_v6_acls.cpp \
RoutingCompiler_pix.cpp \
RoutingCompiler_pix_writers.cpp
HEADERS = ../../config.h \
ACL.h \
Helper.h \
PolicyCompiler_cisco.h \
RoutingCompiler_cisco.h
RoutingCompiler_cisco.h \
CompilerDriver_iosacl.h \
OSConfigurator_ios.h \
PolicyCompiler_iosacl.h \
CompilerDriver_pix.h \
NATCompiler_pix.h \
OSConfigurator_pix_os.h \
PIXObjectGroup.h \
PolicyCompiler_pix.h \
RoutingCompiler_pix.h \
!macx:LIBS += $$LIBS_FWCOMPILER
# macx:LIBS += -L../../../libfwbuilder2-2.0.0/src/fwcompiler -lfwcompiler-2.0
macx:LIBS += $$LIBS_FWCOMPILER
INCLUDEPATH += ../compiler_lib
win32:LIBS += ../compiler_lib/release/compilerdriver.lib
!win32:LIBS += ../compiler_lib/libcompilerdriver.a
win32:PRE_TARGETDEPS = ../compiler_lib/release/compilerdriver.lib
!win32:PRE_TARGETDEPS = ../compiler_lib/libcompilerdriver.a
CONFIG += staticlib

0
src/pix/globalNATPool.cpp → src/cisco_lib/globalNATPool.cpp
View File

2
src/common/init.cpp
View File

@ -1,6 +1,8 @@
#include "../../config.h"
#include <qglobal.h>
#if defined(Q_OS_MACX) || defined(Q_OS_WIN32)
# include <qsettings.h>
# include <QDir>

901
src/compiler_lib/CompilerDriver.cpp Normal file
View File

@ -0,0 +1,901 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "../../build_num"
#include <fstream>
#include <iostream>
#include <iomanip>
#include <set>
#include <algorithm>
#include <functional>
#ifndef _WIN32
# include <unistd.h>
# include <pwd.h>
#else
# include <direct.h>
# include <stdlib.h>
# include <io.h>
#endif
#include "CompilerDriver.h"
#include "fwbuilder/FWObject.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwcompiler/Compiler.h"
#include <QStringList>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
CompilerDriver::CompilerDriver(FWObjectDatabase *db) : BaseCompiler()
{
fwbdebug = 0;
filename = "";
wdir = "";
fwobjectname = "";
fw_file_name = "";
dl = 0;
drp = -1;
rule_debug_on = false;
single_rule_compile_on = false;
drn = -1;
verbose = 0;
have_dynamic_interfaces = false;
ipv4_run = true;
ipv6_run = true;
fw_by_id = false;
objdb = new FWObjectDatabase(*db);
prolog_done = false;
epilog_done = false;
}
CompilerDriver::~CompilerDriver()
{
delete objdb;
}
// create a copy of itself, including objdb
CompilerDriver* CompilerDriver::clone()
{
return new CompilerDriver(objdb);
}
bool CompilerDriver::configure(const QStringList &args)
{
QString last_arg;
for (int idx=0; idx < args.size(); idx++)
{
QString arg = args.at(idx);
last_arg = arg;
if (arg == "-i")
{
fw_by_id = true;
continue;
}
if (arg == "-v")
{
verbose++;
continue;
}
if (arg == "-4")
{
ipv4_run = true;
ipv6_run = false;
continue;
}
if (arg == "-6")
{
ipv4_run = false;
ipv6_run = true;
continue;
}
if (arg == "-d")
{
idx++;
wdir = string(args.at(idx).toLatin1().constData());
continue;
}
if (arg == "-f")
{
idx++;
filename = string(args.at(idx).toLatin1().constData());
continue;
}
if (arg == "-o")
{
idx++;
fw_file_name = args.at(idx);
continue;
}
if (arg == "-O")
{
// parameter is ',' separated list of <member fw object ID>,
// <corresponding output file name>
// All separated by commands, the id and file name just
// follow one after another.
idx++;
QString member_files = args.at(idx);
QStringList mf_list = member_files.split(",");
QStringListIterator it(mf_list);
while (it.hasNext())
{
QString fw_id = it.next();
if (it.hasNext())
{
QString file_name = it.next();
member_file_names[fw_id] = file_name;
} else
{
QString err("Misconfigured -O option, missing file "
"name component for ID %1");
abort(err.arg(fw_id).toStdString());
}
}
continue;
}
if (arg == "-xt")
{
setTestMode();
info("*** Running in test mode, fatal errors are treated as warnings");
continue;
}
if (arg == "-xp")
{
idx++;
bool ok = false;
drp = args.at(idx).toInt(&ok);
if (!ok) return false;
rule_debug_on = true;
continue;
}
if (arg == "-xn")
{
idx++;
bool ok = false;
drn = args.at(idx).toInt(&ok);
if (!ok) return false;
rule_debug_on = true;
continue;
}
if (arg == "-s")
{
idx++;
single_rule_id = args.at(idx).toStdString();
single_rule_compile_on = true;
continue;
}
}
fwobjectname = last_arg;
if (wdir.empty()) wdir="./";
return true;
}
void CompilerDriver::chDir()
{
if (
#ifdef _WIN32
_chdir(wdir.c_str())
#else
chdir(wdir.c_str())
#endif
) {
cerr << "Can't change to: " << wdir << endl;
exit(1);
}
}
void CompilerDriver::commonChecks(Firewall *fw)
{
if (Cluster::isA(fw))
{
Cluster *cluster = Cluster::cast(fw);
// Check #1 : make sure output file names are different in member
// firewalls
set<string> output_file_names;
list<Firewall*> members;
cluster->getMembersList(members);
for (list<Firewall*>::iterator it=members.begin(); it!=members.end(); ++it)
{
FWOptions *fwopt = (*it)->getOptionsObject();
string ofname = fwopt->getStr("output_file");
if (ofname.empty()) continue;
if (output_file_names.count(ofname) > 0)
{
string err =
string("Member firewalls use the same output file name ") +
ofname;
throw FWException(err);
}
output_file_names.insert(ofname);
}
}
}
void CompilerDriver::commonChecks2(Cluster *cluster, Firewall *fw)
{
QString current_firewall_name = fw->getName().c_str();
string host_os = fw->getStr("host_OS");
if (cluster)
{
// firewall is a member of a cluster.
// Rely on the caller to make sure this firewall is really a member
// of this cluster. Do not perform redundant check here.
processStateSyncGroups(cluster, fw);
// some initial sanity checks
validateClusterGroups(cluster);
}
list<FWObject*> interfaces = fw->getByTypeDeep(Interface::TYPENAME);
for (list<FWObject*>::iterator i=interfaces.begin(); i!=interfaces.end(); ++i)
{
Interface *iface = Interface::cast(*i);
assert(iface);
string::size_type n;
if ( (n=iface->getName().find("*"))!=string::npos)
{
/* this is a special 'wildcard' interface. Its name must end with '*',
* it must be dynamic and should not have a child IPv4 or
* physAddress object
*/
if (n!=iface->getName().length()-1)
{
QString err("'*' must be the last character in "
"the wildcard's interface name: '%1'.");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str()).toStdString());
}
/*
removed test to implement RFE #837238: "unnummbered wildcard interfaces"
if (!iface->isDyn())
{
char errstr[256];
sprintf(errstr,
_("Wildcard interface '%s' must be dynamic."),
iface->getName().c_str() );
throw FWException(errstr);
}
*/
list<FWObject*> l3=iface->getByType(physAddress::TYPENAME);
if (l3.size()>0)
{
QString err("Wildcard interface '%1' should not have "
"physcal address object attached to it. "
"The physical address object will be ignored.");
error(fw, NULL, NULL,
err.arg(iface->getName().c_str()).toStdString());
for (list<FWObject*>::iterator j=l3.begin(); j!=l3.end(); ++j)
iface->remove(*j);
}
}
if ( iface->isUnnumbered()) continue;
if ( iface->isDyn())
{
have_dynamic_interfaces=true;
iface->setBool("use_var_address",true);
list<FWObject*> l3=iface->getByType(IPv4::TYPENAME);
if (l3.size()>0)
{
for (list<FWObject*>::iterator j=l3.begin(); j!=l3.end(); ++j)
if ( objdb->findAllReferences(*j).size()!=0 )
{
QString err("Dynamic interface %1 has IP address "
"that is used in the firewall policy rule.");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str()).toStdString());
}
QString err("Dynamic interface %1 should not have an "
"IP address object attached to it. "
"This IP address object will be ignored.");
error(fw, NULL, NULL,
err.arg(iface->getName().c_str()).toStdString());
for (list<FWObject*>::iterator j=l3.begin(); j!=l3.end(); ++j)
iface->remove(*j);
}
} else
{
bool no_addr_ok = false;
if (iface->getOptionsObject()->getBool("cluster_interface"))
{
// cluster interface with failover type heartbeat or
// openais may have no ip address. Other failover
// types require an address.
FWObject *failover_group =
iface->getFirstByType(FailoverClusterGroup::TYPENAME);
if (failover_group)
{
string failover_type = failover_group->getStr("type");
no_addr_ok = Resources::os_res[host_os]->getResourceBool(
"/FWBuilderResources/Target/protocols/" + failover_type + "/no_ip_ok");
}
}
list<FWObject*> all_addr = iface->getByType(IPv4::TYPENAME);
list<FWObject*> all_ipv6 = iface->getByType(IPv6::TYPENAME);
all_addr.insert(all_addr.begin(), all_ipv6.begin(), all_ipv6.end());
if (iface->isRegular() &&
!no_addr_ok &&
all_addr.empty() &&
all_ipv6.empty())
{
QString err("Missing IP address for interface %1");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str()).toStdString());
}
for (list<FWObject*>::iterator j = all_addr.begin();
j != all_addr.end(); ++j)
{
const InetAddr *ip_addr = Address::cast(*j)->getAddressPtr();
if (ip_addr && ip_addr->isAny())
{
QString err("Interface %1 (id=%2) has IP address %3.");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(FWObjectDatabase::getStringId(
iface->getId()).c_str())
.arg(ip_addr->toString().c_str()).toStdString());
}
}
}
}
}
Firewall* CompilerDriver::locateObject()
{
Firewall* obj;
if (fw_by_id)
{
// fwobjectname is actually object id
obj = Firewall::cast(
objdb->findInIndex(
objdb->getIntId(fwobjectname.toAscii().constData())));
//fwobjectname = obj->getName().c_str();
}
else
obj = objdb->findFirewallByName(fwobjectname.toUtf8().constData());
return obj;
}
/**
* Determine output file name. If compiling standalone firewall, the
* name can be enforced via -o command line switch in which case it
* is in fw_file_name already. If not, determine automatically using
* firewall name.
*
* If compiling a cluster, the name could have been enforced via -O
* command line switch, in which case it will be found in
* member_file_names. If not, determine automatically using member
* firewall name.
*
* Returns determined output file name
*/
QString CompilerDriver::determineOutputFileName(Firewall *current_fw,
bool cluster_member,
const QString &ext)
{
QString current_firewall_name = current_fw->getName().c_str();
if (!cluster_member)
{
// standalone firewall
if (fw_file_name.isEmpty())
{
return current_firewall_name + ext;
} else
return fw_file_name;
}
// member of a cluster
QString fw_id = objdb->getStringId(current_fw->getId()).c_str();
if (member_file_names.contains(fw_id))
return member_file_names[fw_id];
else
return current_firewall_name + ext;
}
/* Find rulesets that belong to other firewall objects but are
* referenced by rules of this firewall using action Branch.
*
* Important: rulesets that belong to other firewalls may be marked as
* "top rulesets", which means they should be translated into the
* built-in chains INPUT/OUTPUT/FORWARD rather then into named chain
* with the name the same as the name of the ruleset. However this
* does not make sense if we want to jump to that ruleset from a rule
* from a ruleset that belongs to the firewall we are compiling. If we
* compile such "foreighn" ruleset as "top ruleset", then we do not
* create chain we would jump to. To avoid this will reset "top
* ruleset" flag of rulesets of other firewalls referenced by
* branching rules of the firewall being compiled.
*/
void CompilerDriver::findImportedRuleSets(Firewall *fw,
list<FWObject*> &all_policies)
{
list<FWObject*> imported_policies;
for (list<FWObject*>::iterator i=all_policies.begin();
i!=all_policies.end(); ++i)
{
for (list<FWObject*>::iterator r=(*i)->begin(); r!=(*i)->end(); ++r)
{
PolicyRule *rule = PolicyRule::cast(*r);
RuleSet *ruleset = NULL;
if (rule->getAction() == PolicyRule::Branch &&
(ruleset