onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 03:37:15 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTCPFlags):

Browse Source 
Implemented TCP flag matching per #2865044: "Add TCP options
support for IOS ACL". Uses extended ACL option "match-all" that
supports list of TCP flags that should be set and cleared. This
requires IOS v12.4 or later even though Cisco documentation seems
to indicate this option was introduced in 12.3(4)T. Fixes #455
This commit is contained in:
Vadim Kurland 2009-11-08 06:21:39 +00:00
parent 65634fd824
commit 33fac22504
7 changed files with 169 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1693
#define BUILD_NUM 1695

13
doc/ChangeLog
View File

@ -1,3 +1,12 @@
2009-11-07 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTCPFlags):
Implemented TCP flag matching per #2865044: "Add TCP options
support for IOS ACL". Uses extended ACL option "match-all" that
supports list of TCP flags that should be set and cleared. This
requires IOS v12.4 or later even though Cisco documentation seems
to indicate this option was introduced in 12.3(4)T. Fixes #455
2009-11-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pix_writers.cpp (PrintRule::_printDstService): PIX
@ -5,10 +14,10 @@
Fixes #567
* res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
12.3
12.3, 12.4
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
Added support for IP options matching, requires IOS v12.3 or
Added support for IP options matching, requires IOS v12.4 or
later. Fixes #566, #568
* configlets/sveasoft/script_skeleton: Fixes #571 /bin/sh on

15
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -129,19 +129,14 @@ bool PolicyCompiler_iosacl::SpecialServices::processNext()
s->getBool("ssrr") ||
s->getBool("ts") )
compiler->abort(
rule,
"IOS ACL does not support checking for IP options in ACLs.");
}
if (TCPService::cast(s)!=NULL) {
if (s->getBool("ack_flag") ||
s->getBool("fin_flag") ||
s->getBool("rst_flag") ||
s->getBool("syn_flag") )
compiler->abort(
rule,
"IOS ACL does not support checking for TCP options in ACLs.");
if (TCPService::cast(s)!=NULL && TCPService::cast(s)->inspectFlags())
{
string version = compiler->fw->getStr("version");
if (XMLTools::version_compare(version, "12.4")<0)
compiler->abort(rule, "TCP flags match requires IOS v12.4 or later.");
}
tmp_queue.push_back(rule);

5
src/cisco_lib/PolicyCompiler_iosacl.h
View File

@ -30,6 +30,7 @@
#include "fwcompiler/PolicyCompiler.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "Helper.h"
#include "ACL.h"
@ -187,11 +188,13 @@ namespace fwcompiler {
std::string current_rule_label1;
std::map<std::string,std::string> current_rule_label2;
int aclLineCounter;
std::string getTcpFlagName(const libfwbuilder::TCPService::TCPFlag f);
std::string _printSrcService(libfwbuilder::Service *srv);
std::string _printDstService(libfwbuilder::Service *srv);
std::string _printAddr(libfwbuilder::Address *o);
std::string _printProtocol(libfwbuilder::Service *srv);
std::string _printTCPFlags(libfwbuilder::TCPService *srv);
std::string _printAction(libfwbuilder::PolicyRule *r);
std::string _printACL(libfwbuilder::PolicyRule *r);
std::string _printLog(libfwbuilder::PolicyRule *r);

58
src/cisco_lib/PolicyCompiler_iosacl_writers.cpp
View File

@ -61,6 +61,8 @@
#include <assert.h>
#include <QStringList>
using namespace libfwbuilder;
using namespace fwcompiler;
@ -365,8 +367,8 @@ string PolicyCompiler_iosacl::PrintRule::_printIPServiceOptions(PolicyRule *r)
if (srv->getBool("fragm") || srv->getBool("short_fragm"))
return "fragments ";
if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.3")<0)
compiler->abort(r, "IP options match requires IOS v12.3 or later.");
if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.4")<0)
compiler->abort(r, "IP options match requires IOS v12.4 or later.");
if (ip->getBool("lsrr")) return "option lsr";
if (ip->getBool("ssrr")) return "option ssr";
@ -405,8 +407,12 @@ string PolicyCompiler_iosacl::PrintRule::_printDstService(Service *srv)
str << "range " << rs << " " << re << " ";
}
}
if (TCPService::isA(srv) && srv->getBool("established"))
str << "established ";
if (TCPService::isA(srv))
{
if (srv->getBool("established")) str << "established ";
else str << _printTCPFlags(TCPService::cast(srv));
}
if ((ICMPService::isA(srv) || ICMP6Service::isA(srv)) && srv->getInt("type")!=-1)
str << srv->getStr("type") << " ";
@ -418,6 +424,50 @@ string PolicyCompiler_iosacl::PrintRule::_printDstService(Service *srv)
return str.str();
}
string PolicyCompiler_iosacl::PrintRule::getTcpFlagName(const TCPService::TCPFlag f)
{
switch (f)
{
case TCPService::URG: return "urg";
case TCPService::ACK: return "ack";
case TCPService::PSH: return "psh";
case TCPService::RST: return "rst";
case TCPService::SYN: return "syn";
case TCPService::FIN: return "fin";
default: return "";
}
return "";
}
string PolicyCompiler_iosacl::PrintRule::_printTCPFlags(TCPService *srv)
{
if (srv->inspectFlags())
{
// We check the version and call compiler->abort() if its
// wrong in SpecialServices rule processor. Here we should just execute.
string version = compiler->fw->getStr("version");
if (XMLTools::version_compare(version, "12.4")>=0)
{
std::set<TCPService::TCPFlag> flags = srv->getAllTCPFlags();
std::set<TCPService::TCPFlag> masks = srv->getAllTCPFlagMasks();
std::set<TCPService::TCPFlag>::iterator mit = masks.begin();
QStringList match_specs;
for (; mit!=masks.end(); mit++)
{
if (flags.count(*mit) > 0)
match_specs.push_back(QString("+%1").arg(getTcpFlagName(*mit).c_str()));
else
match_specs.push_back(QString("-%1").arg(getTcpFlagName(*mit).c_str()));
}
if (!match_specs.empty())
match_specs.push_front("match-all");
return match_specs.join(" ").toStdString() + " ";
}
}
return "";
}
string PolicyCompiler_iosacl::PrintRule::_printProtocol(Service *srv)
{
PolicyCompiler_iosacl *iosacl_comp = dynamic_cast<PolicyCompiler_iosacl*>(

21
src/res/platform/iosacl.xml
View File

@ -10,7 +10,7 @@
<diff>fwb_iosacl_diff</diff>
<supported_os>ios</supported_os>
<versions>12.1,12.2,12.3</versions>
<versions>12.1,12.2,12.3,12.4</versions>
<options>
<default>
@ -76,6 +76,25 @@ interface %in
</iosacl_commands>
</version_12.3>
<version_12.4>
<iosacl_include_comments>true</iosacl_include_comments>
<iosacl_add_clear_statements>true</iosacl_add_clear_statements>
<iosacl_assume_fw_part_of_any>true</iosacl_assume_fw_part_of_any>
<iosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list extended</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</iosacl_commands>
</version_12.4>
</options>
<capabilities>

82
test/iosacl/objects-for-regression-tests.fwb
View File

@ -21,12 +21,11 @@
<ServiceRef ref="id5470X38343"/>
<ObjectRef ref="id19068X65694"/>
<ObjectRef ref="id19240X65694"/>
<ServiceRef ref="sysid1"/>
<ServiceRef ref="sysid1"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id4641321126611"/>
<ServiceRef ref="id5611X44763"/>
<ServiceRef ref="sysid1"/>
<ServiceRef ref="sysid1"/>
<ServiceRef ref="sysid1"/>
</Library>
<Library id="id4511636323682" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id4511636423682_clusters" name="Clusters" comment="" ro="False"/>
@ -149,6 +148,9 @@
<ServiceGroup id="id4511637023682" name="TCP" comment="" ro="False">
<TCPService id="id4641521729061" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http established" comment="" ro="False" src_range_start="80" src_range_end="80" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id5470X38343" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="establ" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id83887X7744" ack_flag="True" ack_flag_mask="True" established="False" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="ack" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id83888X7744" ack_flag="False" ack_flag_mask="True" established="False" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="syn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id83889X7744" ack_flag="True" ack_flag_mask="True" established="False" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="syn ack" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
</ServiceGroup>
<ServiceGroup id="id4511637123682" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id4511637223682" name="Custom" comment="" ro="False">
@ -747,7 +749,7 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id464131E426611" host_OS="ios" inactive="False" lastCompiled="1251228630" lastInstalled="0" lastModified="1257560694" platform="iosacl" version="12.x" name="testios20" comment="" ro="False">
<Firewall id="id464131E426611" host_OS="ios" inactive="False" lastCompiled="1251228630" lastInstalled="0" lastModified="1257660998" platform="iosacl" version="12.4" name="testios20" comment="" ro="False">
<NAT id="id4641320F26611" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id464131EA26611" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id464131EB26611" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -1000,7 +1002,71 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7439X44763" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
<PolicyRule id="id85935X7744" disabled="False" group="" log="False" position="12" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id83887X7744"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4641321126611"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id85953X7744" disabled="False" group="" log="False" position="13" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id83887X7744"/>
<ServiceRef ref="id83888X7744"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4641321126611"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id85970X7744" disabled="False" group="" log="False" position="14" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id83889X7744"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4641321126611"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7439X44763" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1020,7 +1086,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641320326611" disabled="False" log="True" position="13" action="Deny" direction="Both" comment="">
<PolicyRule id="id4641320326611" disabled="False" log="True" position="16" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>