onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 11:47:24 +01:00
Code Issues Releases Wiki Activity

refs #1907 refactoring to make it possible to use object-groups in both policy and nat compilers using the same code

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-11 20:51:43 -08:00
parent c6abdb0fc6
commit 31f6ddb86a
20 changed files with 224 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/cisco_lib/ASA8ObjectGroup.cpp
View File

@ -39,6 +39,7 @@
using namespace libfwbuilder;
using namespace std;
using namespace fwcompiler;
const char *ASA8ObjectGroup::TYPENAME={"ASA8ObjectGroup"};

27
src/cisco_lib/ASA8ObjectGroup.h
View File

@ -23,23 +23,26 @@
*/
#ifndef __ASA8OBJECTGROUP_HH
#define __ASA8OBJECTGROUP_HH
#ifndef _ASA8_OBJECT_GROUP_HH
#define _ASA8_OBJECT_GROUP_HH
#include "PIXObjectGroup.h"
class ASA8ObjectGroup : public PIXObjectGroup {
public:
ASA8ObjectGroup(object_group_type _gt=UNKNOWN) : PIXObjectGroup(_gt) { }
virtual ~ASA8ObjectGroup() {};
DECLARE_FWOBJECT_SUBTYPE(ASA8ObjectGroup);
namespace fwcompiler {
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string toString() throw(libfwbuilder::FWException);
class ASA8ObjectGroup : public PIXObjectGroup {
};
public:
ASA8ObjectGroup(object_group_type _gt=UNKNOWN) : PIXObjectGroup(_gt) { }
virtual ~ASA8ObjectGroup() {};
DECLARE_FWOBJECT_SUBTYPE(ASA8ObjectGroup);
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string toString() throw(libfwbuilder::FWException);
};
}
#endif

1
src/cisco_lib/CompilerDriver_iosacl_run.cpp
View File

@ -41,6 +41,7 @@
#include "PolicyCompiler_iosacl.h"
#include "RoutingCompiler_iosacl.h"
#include "OSConfigurator_ios.h"
#include "ObjectGroupsSupport.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"

1
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -42,6 +42,7 @@
#include "NATCompiler_asa8.h"
#include "RoutingCompiler_pix.h"
#include "OSConfigurator_pix_os.h"
#include "ObjectGroupsSupport.h"
#include "Helper.h"

1
src/cisco_lib/CompilerDriver_procurve_acl_run.cpp
View File

@ -41,6 +41,7 @@
#include "PolicyCompiler_procurve_acl.h"
#include "RoutingCompiler_procurve_acl.h"
#include "OSConfigurator_procurve.h"
#include "ObjectGroupsSupport.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"

15
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -24,6 +24,8 @@
#include "config.h"
#include "NATCompiler_asa8.h"
#include "ASA8Object.h"
#include "ASA8ObjectGroup.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
@ -64,6 +66,17 @@ NATCompiler_asa8::NATCompiler_asa8(FWObjectDatabase *_db,
{
}
NATCompiler_asa8::~NATCompiler_asa8()
{
std::map<int, ASA8Object*>::iterator it1;
for (it1=asa8_object_registry.begin();
it1!=asa8_object_registry.end(); ++it1)
{
delete it1->second;
}
asa8_object_registry.clear();
}
/*
* Option "translate dns" can not be used if the rule has "destination"
* part.
@ -273,7 +286,6 @@ void NATCompiler_asa8::compile()
add( new checkForUnnumbered("check for unnumbered interfaces"));
// add( new ConvertToAtomic("convert to atomic rules" ));
add( new ConvertToAtomicForOriginal("convert to atomic for OSrc, ODst, OSrv"));
// remove ConvertToAtomicForTSrc if we figure out a way to support multiple
// translated soruces per #1907
@ -309,6 +321,7 @@ void NATCompiler_asa8::compile()
add( new PrintClearCommands("Clear ACLs" ));
add( new PrintObjectsForNat("generate objects for nat commands"));
// add( new PrintObjectsForTSrc("generate object groups and objects for TSrc"));
add( new PrintRule("generate PIX code" ));
add( new storeProcessedRules ("store processed rules" ));
add( new simplePrintProgress ());

11
src/cisco_lib/NATCompiler_asa8.h
View File

@ -25,7 +25,6 @@
#define _NATCOMPILER_ASA8_HH
#include "NATCompiler_pix.h"
#include "ASA8Object.h"
#include <QString>
@ -34,6 +33,9 @@
namespace fwcompiler {
class ASA8Object;
class ASA8ObjectGroup;
class NATCompiler_asa8 : public NATCompiler_pix
{
public:
@ -58,6 +60,13 @@ namespace fwcompiler {
DECLARE_NAT_RULE_PROCESSOR(PrintObjectsForNat);
/**
* TSrc may contain multiple objects, so we should group them
* in order to put all addresses, address ranges and subnets
* into an object-group and keep interfaces separate.
*/
DECLARE_NAT_RULE_PROCESSOR(PrintObjectsForTSrc);
/*
* Check if "translate dns" option can be used with the rule
*/

47
src/cisco_lib/NATCompiler_asa8_writers.cpp
View File

@ -58,16 +58,6 @@ void NATCompiler_asa8::addASA8Object(const FWObject *obj)
}
}
NATCompiler_asa8::~NATCompiler_asa8()
{
std::map<int, ASA8Object*>::iterator it;
for (it=asa8_object_registry.begin(); it!=asa8_object_registry.end(); ++it)
{
delete it->second;
}
asa8_object_registry.clear();
}
ASA8Object* NATCompiler_asa8::getASA8Object(const FWObject *obj)
{
return asa8_object_registry[obj->getId()];
@ -76,8 +66,6 @@ ASA8Object* NATCompiler_asa8::getASA8Object(const FWObject *obj)
bool NATCompiler_asa8::PrintObjectsForNat::processNext()
{
NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
string version = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
slurp();
if (tmp_queue.size()==0) return false;
@ -87,7 +75,6 @@ bool NATCompiler_asa8::PrintObjectsForNat::processNext()
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *rule = NATRule::cast( *k );
// NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ];
Address *osrc = compiler->getFirstOSrc(rule); assert(osrc);
Address *odst = compiler->getFirstODst(rule); assert(odst);
@ -108,6 +95,40 @@ bool NATCompiler_asa8::PrintObjectsForNat::processNext()
return true;
}
bool NATCompiler_asa8::PrintObjectsForTSrc::processNext()
{
NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
slurp();
if (tmp_queue.size()==0) return false;
compiler->output << endl;
/*
* Gather all objects that are not interface in an object-group,
* then replace them with reference to this group in rule
* element. Leave interface object(s) alone. There should be just
* one interface that is the child of the firewall at this point
* but I do not verify this in this rule processor.
*/
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *rule = NATRule::cast( *k );
RuleElementTSrc *tsrc = rule->getTSrc(); assert(tsrc);
for (FWObject::iterator it=tsrc->begin(); it!=tsrc->end(); ++it)
{
FWObject *obj = FWReference::getObject(*it);
}
}
return true;
}
bool NATCompiler_asa8::PrintClearCommands::processNext()
{
string version = compiler->fw->getStr("version");

7
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -26,6 +26,7 @@
#include "config.h"
#include "NATCompiler_pix.h"
#include "ObjectGroupsSupport.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
@ -71,6 +72,8 @@ NATCompiler_pix::NATCompiler_pix(FWObjectDatabase *_db,
OSConfigurator *_oscnf) :
NATCompiler(_db, fw, ipv6_policy, _oscnf) , helper(this)
{
// initialize object groups support
CreateObjectGroups::init(dbcopy);
}
NATCompiler_pix::~NATCompiler_pix()
@ -216,9 +219,9 @@ string NATCompiler_pix::getNATACLname(Rule *rule,string suffix)
int NATCompiler_pix::prolog()
{
global_pool_no=1;
global_pool_no = 1;
final_ruleset=new NAT();
final_ruleset = new NAT();
fw->add( final_ruleset );
return NATCompiler::prolog();

1
src/cisco_lib/ObjectGroupFactory.cpp
View File

@ -37,6 +37,7 @@
using namespace libfwbuilder;
using namespace std;
using namespace fwcompiler;
BaseObjectGroup* ObjectGroupFactory::createObjectGroup(

38
src/cisco_lib/PolicyCompiler_cisco_object_groups.cpp → src/cisco_lib/ObjectGroupsSupport.cpp
View File

@ -25,7 +25,7 @@
#include "config.h"
#include "PolicyCompiler_cisco.h"
#include "ObjectGroupsSupport.h"
#include "ObjectGroupFactory.h"
#include "fwbuilder/FWObjectDatabase.h"
@ -40,6 +40,9 @@
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/Firewall.h"
#include "fwcompiler/Compiler.h"
#include <iostream>
#include <algorithm>
@ -55,13 +58,17 @@ using namespace fwcompiler;
using namespace std;
Group *CreateObjectGroups::object_groups = NULL;
BaseObjectGroup* PolicyCompiler_cisco::CreateObjectGroups::findObjectGroup(
RuleElement *re)
void CreateObjectGroups::init(FWObjectDatabase *db)
{
PolicyCompiler_cisco *cisco_comp = dynamic_cast<PolicyCompiler_cisco*>(compiler);
object_groups = new Group();
db->add( object_groups );
}
BaseObjectGroup* CreateObjectGroups::findObjectGroup(RuleElement *re)
{
list<FWObject*> relement;
for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1)
@ -72,8 +79,7 @@ BaseObjectGroup* PolicyCompiler_cisco::CreateObjectGroups::findObjectGroup(
}
for (FWObject::iterator i=cisco_comp->object_groups->begin();
i!=cisco_comp->object_groups->end(); ++i)
for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i)
{
BaseObjectGroup *og=dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
@ -98,10 +104,10 @@ BaseObjectGroup* PolicyCompiler_cisco::CreateObjectGroups::findObjectGroup(
return NULL;
}
bool PolicyCompiler_cisco::CreateObjectGroups::processNext()
bool CreateObjectGroups::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
PolicyCompiler_cisco *cisco_comp = dynamic_cast<PolicyCompiler_cisco*>(compiler);
Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false;
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInterfaceId()));
assert(rule_iface);
@ -143,7 +149,7 @@ bool PolicyCompiler_cisco::CreateObjectGroups::processNext()
gn.push_back(name_suffix.c_str());
obj_group->setName(gn.join(".").toStdString());
cisco_comp->object_groups->add(obj_group);
object_groups->add(obj_group);
for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
@ -163,23 +169,21 @@ bool PolicyCompiler_cisco::CreateObjectGroups::processNext()
return true;
}
bool PolicyCompiler_cisco::printObjectGroups::processNext()
bool printObjectGroups::processNext()
{
PolicyCompiler_cisco *cisco_comp=dynamic_cast<PolicyCompiler_cisco*>(compiler);
slurp();
if (tmp_queue.size()==0) return false;
for (FWObject::iterator i=cisco_comp->object_groups->begin();
i!=cisco_comp->object_groups->end(); ++i)
for (FWObject::iterator i=CreateObjectGroups::object_groups->begin();
i!=CreateObjectGroups::object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
if (og->size()==0) continue;
cisco_comp->output << endl;
compiler->output << endl;
try
{
cisco_comp->output << og->toString();
compiler->output << og->toString();
} catch (FWException &ex)
{
compiler->abort(ex.toString());

99
src/cisco_lib/ObjectGroupsSupport.h Normal file
View File

@ -0,0 +1,99 @@
/*
Firewall Builder
Copyright (C) 2010-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _OBJECT_GROUPS_SUPPORT_HH
#define _OBJECT_GROUPS_SUPPORT_HH
#include "config.h"
#include "BaseObjectGroup.h"
#include "fwbuilder/Group.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwcompiler/RuleProcessor.h"
namespace fwcompiler
{
class CreateObjectGroups : public BasicRuleProcessor
{
std::string re_type;
std::string name_suffix;
BaseObjectGroup* findObjectGroup(libfwbuilder::RuleElement *re);
public:
// storage for object groups created to be used with PIX command object-group
static libfwbuilder::Group *object_groups;
CreateObjectGroups(const std::string &name,
const std::string &_ns,
const std::string &_type) :
BasicRuleProcessor(name) {re_type=_type; name_suffix=_ns; }
virtual bool processNext();
static void init(libfwbuilder::FWObjectDatabase *db);
};
class CreateObjectGroupsForSrc : public CreateObjectGroups
{
public:
CreateObjectGroupsForSrc(const std::string &n):
CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME) {}
};
class CreateObjectGroupsForDst : public CreateObjectGroups
{
public:
CreateObjectGroupsForDst(const std::string &n):
CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME) {}
};
class CreateObjectGroupsForSrv : public CreateObjectGroups
{
public:
CreateObjectGroupsForSrv(const std::string &n):
CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {}
};
/**
* this processor accumulates all rules fed to it by previous
* processors, then prints all object groups and feeds all
* rules to the next processor. Usually this processor is in
* chain right before PrintRules.
*
*/
class printObjectGroups : public BasicRuleProcessor
{
public:
printObjectGroups(const std::string &n) : BasicRuleProcessor(n) {}
virtual bool processNext();
};
}
#endif

6
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -26,6 +26,7 @@
#include "config.h"
#include "PolicyCompiler_cisco.h"
#include "ObjectGroupsSupport.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
@ -59,8 +60,8 @@ PolicyCompiler_cisco::PolicyCompiler_cisco(FWObjectDatabase *_db,
OSConfigurator *_oscnf) :
PolicyCompiler(_db, fw, ipv6_policy, _oscnf) , helper(this)
{
object_groups = new Group();
dbcopy->add( object_groups );
// initialize object groups support
CreateObjectGroups::init(dbcopy);
}
int PolicyCompiler_cisco::prolog()
@ -812,7 +813,6 @@ bool PolicyCompiler_cisco::processMultiAddressObjectsInRE::processNext()
return true;
}
void PolicyCompiler_cisco::compile()
{
}

9
src/cisco_lib/PolicyCompiler_cisco.h
View File

@ -447,7 +447,7 @@ protected:
processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementDst::TYPENAME) {}
};
#ifdef OLD_STYLE_OBJECT_GROUP_SUPPORT
/**
* this processor creates PIX-specific object groups
* (PIX CLI command "object-group") for rules with
@ -457,7 +457,7 @@ protected:
{
std::string re_type;
std::string name_suffix;
BaseObjectGroup* findObjectGroup(libfwbuilder::RuleElement *re);
public:
CreateObjectGroups(const std::string &name,
const std::string &_ns,
@ -503,14 +503,13 @@ protected:
};
friend class PolicyCompiler_cisco::printObjectGroups;
#endif
protected:
Helper helper;
std::map<std::string,ciscoACL*> acls;
// storage for object groups created to be used with PIX command object-group
libfwbuilder::Group *object_groups;
virtual std::string myPlatformName();

5
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -26,6 +26,7 @@
#include "config.h"
#include "PolicyCompiler_iosacl.h"
#include "ObjectGroupsSupport.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
@ -85,8 +86,8 @@ int PolicyCompiler_iosacl::prolog()
"use_acl_remarks",
fw->getOptionsObject()->getBool("iosacl_use_acl_remarks"));
object_groups = new Group();
dbcopy->add( object_groups );
// object_groups = new Group();
// dbcopy->add( object_groups );
setAllNetworkZonesToNone();

4
src/cisco_lib/PolicyCompiler_iosacl_writers.cpp
View File

@ -25,6 +25,7 @@
#include "PolicyCompiler_iosacl.h"
#include "IOSObjectGroup.h"
#include "ObjectGroupsSupport.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressRange.h"
@ -150,7 +151,8 @@ void PolicyCompiler_iosacl::_printClearCommands()
}
output << endl;
for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i)
for (FWObject::iterator i=CreateObjectGroups::object_groups->begin();
i!=CreateObjectGroups::object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);

1
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -30,6 +30,7 @@
#include "PolicyCompiler_pix.h"
#include "NATCompiler_pix.h"
#include "PIXObjectGroup.h"
#include "ObjectGroupsSupport.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"

3
src/cisco_lib/cisco_lib.pro
View File

@ -6,7 +6,7 @@ TEMPLATE = lib
#
SOURCES = PolicyCompiler_cisco.cpp \
PolicyCompiler_cisco_acls.cpp \
PolicyCompiler_cisco_object_groups.cpp \
ObjectGroupsSupport.cpp \
RoutingCompiler_cisco.cpp \
RoutingCompiler_cisco_writers.cpp \
ACL.cpp \
@ -54,6 +54,7 @@ HEADERS = ../../config.h \
ACL.h \
Helper.h \
ASA8Object.h \
ObjectGroupsSupport.h \
inspectionProtocol.h \
InspectionClassMap.h \
PolicyCompiler_cisco.h \

1
src/libfwbuilder/src/fwbuilder/FWObjectDatabase.h
View File

@ -448,6 +448,7 @@ public:
DECLARE_CREATE_OBJ_METHOD(UDPService);
DECLARE_CREATE_OBJ_METHOD(UserService);
DECLARE_CREATE_OBJ_METHOD(physAddress);
DECLARE_CREATE_OBJ_METHOD(Group);
};
}

4
src/libfwbuilder/src/fwbuilder/FWObjectDatabase_create_object.cpp
View File

@ -238,6 +238,9 @@ void FWObjectDatabase::init_create_methods_table()
&FWObjectDatabase::createFWObjectUserService;
create_methods["physAddress"] =
&FWObjectDatabase::createFWObjectphysAddress;
create_methods["Group"] =
&FWObjectDatabase::createFWObjectGroup;
}
}
@ -372,3 +375,4 @@ CREATE_OBJ_METHOD(TagService);
CREATE_OBJ_METHOD(UDPService);
CREATE_OBJ_METHOD(UserService);
CREATE_OBJ_METHOD(physAddress);
CREATE_OBJ_METHOD(Group);