From 2b54b4c49b2a74776fee88e89c8e0074da7ee566 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Thu, 21 Jul 2011 14:17:48 -0700 Subject: [PATCH] fixes #2565 "Run-time dns name or address table in routing policy -> crash". Compiler for PF crashed if user placed run-time DNSName object in "destination" of a routing rule. --- doc/ChangeLog | 5 +++ .../src/fwcompiler/RoutingCompiler.cpp | 45 +++++++++++++------ 2 files changed, 36 insertions(+), 14 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index 4ce7e825d..03743daa7 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,10 @@ 2011-07-21 vadim + * RoutingCompiler.cpp (processNext): fixes #2565 "Run-time dns + name or address table in routing policy -> crash". Compiler for PF + crashed if user placed run-time DNSName object in "destination" + of a routing rule. + * RuleSetModel.cpp (initRule): see #2515 Expanded set of options the user can change to pre-set parameters in the new policy rules they create. Now user can set default values for action ("Deny" or diff --git a/src/libfwbuilder/src/fwcompiler/RoutingCompiler.cpp b/src/libfwbuilder/src/fwcompiler/RoutingCompiler.cpp index 9c78ecbbf..febf8cf50 100644 --- a/src/libfwbuilder/src/fwcompiler/RoutingCompiler.cpp +++ b/src/libfwbuilder/src/fwcompiler/RoutingCompiler.cpp @@ -257,17 +257,21 @@ bool RoutingCompiler::singleAdressInRGtw::processNext() } // recursive network validity check -bool RoutingCompiler::validateNetwork::checkValidNetwork(FWObject *o) { - - if( Network::cast(o) != NULL) { +bool RoutingCompiler::validateNetwork::checkValidNetwork(FWObject *o) +{ + if( Network::cast(o) != NULL) + { return ((Network *)o)->isValidRoutingNet(); } - + /* if we have a group containing networks and groups, we want to check them too */ - if( ObjectGroup::cast(o) != NULL) { - - FWObjectTypedChildIterator child_i = o->findByType(FWObjectReference::TYPENAME); - for ( ; child_i != child_i.end(); ++child_i) { + if( ObjectGroup::cast(o) != NULL) + { + FWObjectTypedChildIterator child_i = + o->findByType(FWObjectReference::TYPENAME); + + for ( ; child_i != child_i.end(); ++child_i) + { FWObjectReference *child_r = FWObjectReference::cast(*child_i); assert(child_r); FWObject *child = child_r->getPointer(); @@ -276,12 +280,16 @@ bool RoutingCompiler::validateNetwork::checkValidNetwork(FWObject *o) { ObjectGroup *group; // Network - if ((network=Network::cast(child)) != NULL) { - if (checkValidNetwork(network) == false) { + if ((network=Network::cast(child)) != NULL) + { + if (checkValidNetwork(network) == false) + { return false; } - } else if ((group=ObjectGroup::cast(child)) != NULL) { // Group - if (checkValidNetwork(group) == false) { + } else if ((group=ObjectGroup::cast(child)) != NULL) + { // Group + if (checkValidNetwork(group) == false) + { return false; } } @@ -301,8 +309,17 @@ bool RoutingCompiler::validateNetwork::processNext() RuleElementRDst *dstrel=rule->getRDst(); FWObject *o = FWReference::cast(dstrel->front())->getPointer(); - if( checkValidNetwork(o) == false) { - + // currently we do not support run-time DNSName and AddressTable objects + // in routing rules. + MultiAddress *ma = MultiAddress::cast(o); + if (ma && ma->isRunTime()) + { + compiler->abort(rule, "Use of dynamic run-time objects " + "as destination in routing rules is not supported."); + } + + if( checkValidNetwork(o) == false) + { string msg; msg = "Object \"" + o->getName() + "\" used as destination in the routing rule " +