onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 10:47:16 +01:00
Code Issues Releases Wiki Activity

* NATCompiler_pix.cpp (NATCompiler_pix::_expand_interface): fixes

Browse Source 
#1115: "fwb_pix crash compiling cluster NAT rule set with
interface in TSrc". A cluster interface was used in the TSrc rule
element of a NAT rule. Cluster interfaces of PIX cluster have no
ip addresses of their own (PIX HA pair uses ip addresses of the
master unit), this caused rule element to become empty after
interface object was supposed to be replaced with its ip address.

fixes #1115
This commit is contained in:
Vadim Kurland 2010-01-20 08:09:15 +00:00
parent 83cd816c40
commit 482fc615e7
11 changed files with 154 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2393
#define BUILD_NUM 2394

15
doc/ChangeLog
View File

@ -1,3 +1,13 @@
2010-01-20 vadim <vadim@vk.crocodile.org>
* NATCompiler_pix.cpp (NATCompiler_pix::_expand_interface): fixes
#1115: "fwb_pix crash compiling cluster NAT rule set with
interface in TSrc". A cluster interface was used in the TSrc rule
element of a NAT rule. Cluster interfaces of PIX cluster have no
ip addresses of their own (PIX HA pair uses ip addresses of the
master unit), this caused rule element to become empty after
interface object was supposed to be replaced with its ip address.
2010-01-19 vadim <vadim@vk.crocodile.org>
* ../src/cisco_lib/NATCompiler_pix.cpp (NATCompiler_pix::compile):
@ -8,6 +18,11 @@
NAT rule for PIX firewall, compiler generated configuration that
used subnet instead of just the address of the inetrface.
* (NATCompiler_pix::_expand_interface): reimplemented virtual
method Compiler::_expand_interface() to process cluster
interfaces. Using member interface instead of the cluster
interface while compiling the rule.
* (createNATCmd::processNext): fixes #1114: "fwb_pix crash when fw
with dynamic interface is used in TDst".

58
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -40,6 +40,8 @@
#include "fwbuilder/Network.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include <algorithm>
#include <functional>
@ -47,6 +49,9 @@
#include <cstring>
#include <assert.h>
#include <QString>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
@ -67,6 +72,43 @@ NATCompiler_pix::NATCompiler_pix(FWObjectDatabase *_db,
{
}
void NATCompiler_pix::_expand_interface(Rule *rule,
Interface *iface,
std::list<FWObject*> &ol)
{
FWObject *parent = iface->getParentHost();
if (Cluster::cast(parent) == NULL)
{
Compiler::_expand_interface(rule, iface, ol);
return;
}
FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME);
if (failover_group)
{
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *member_iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(member_iface);
if (member_iface->isChildOf(fw))
{
Compiler::_expand_interface(rule, member_iface, ol);
return;
}
}
QString err("Failover group of cluster interface '%1' (%2) "
"does not include interface for the member '%3'");
abort(rule,
err.
arg(iface->getName().c_str()).
arg(iface->getLabel().c_str()).
arg(fw->getName().c_str()).toStdString());
}
}
string NATCompiler_pix::getNATACLname(Rule *rule,int nat_id)
{
int n=-1;
@ -665,8 +707,6 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext()
Helper helper(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
list<FWObject*> cl;
RuleElementTSrc *rel;
Address *obj=NULL;
@ -674,7 +714,11 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext()
switch (rule->getRuleType()) {
case NATRule::Masq:
case NATRule::Redirect: return true;
case NATRule::Redirect:
{
tmp_queue.push_back(rule);
return true;
}
case NATRule::SNAT:
{
@ -691,6 +735,12 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext()
}
rel=rule->getTSrc(); assert(rel);
if (rel->size() == 0)
{
compiler->abort(rule, "Empty TSrc");
return true;
}
obj=compiler->getFirstTSrc(rule); assert(obj!=NULL);
if (obj->getId()==compiler->getFwId() )
@ -729,6 +779,8 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext()
break;
default: ; // TODO: should actually be always_assert
}
tmp_queue.push_back(rule);
return true;
}

10
src/cisco_lib/NATCompiler_pix.h
View File

@ -101,6 +101,16 @@ namespace fwcompiler {
std::string debugPrintRule(libfwbuilder::Rule *r);
/**
* internal: checks if interface is a child of a cluster and calls
* Compiler::_expand_interface() with a pointer to the master member
* interface. If @iface is not cluster interface, just calls
* Compiler::_expand_interface()
*/
virtual void _expand_interface(libfwbuilder::Rule *rule,
libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);
/* this is a dictionary of all nat acl names and associated boolean
* flag that indicates that corresponding 'clear' command has been
* issued. We use this to keep track of all names that are created to

43
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -43,6 +43,8 @@
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include <iostream>
#if __GNUC__ > 3 || \
@ -58,6 +60,9 @@
#include <assert.h>
#include <QString>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
@ -186,6 +191,44 @@ int PolicyCompiler_pix::prolog()
return PolicyCompiler::prolog();
}
void PolicyCompiler_pix::_expand_interface(Rule *rule,
Interface *iface,
std::list<FWObject*> &ol)
{
FWObject *parent = iface->getParentHost();
if (Cluster::cast(parent) == NULL)
{
Compiler::_expand_interface(rule, iface, ol);
return;
}
FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME);
if (failover_group)
{
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *member_iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(member_iface);
if (member_iface->isChildOf(fw))
{
Compiler::_expand_interface(rule, member_iface, ol);
return;
}
}
QString err("Failover group of cluster interface '%1' (%2) "
"does not include interface for the member '%3'");
abort(rule,
err.
arg(iface->getName().c_str()).
arg(iface->getLabel().c_str()).
arg(fw->getName().c_str()).toStdString());
}
}
bool PolicyCompiler_pix::checkVersionAndDynamicInterface::findDynamicInterface(
PolicyRule *rule, RuleElement *rel)
{

10
src/cisco_lib/PolicyCompiler_pix.h
View File

@ -69,6 +69,16 @@ namespace fwcompiler {
virtual bool processNext();
};
/**
* internal: checks if interface is a child of a cluster and calls
* Compiler::_expand_interface() with a pointer to the master member
* interface. If @iface is not cluster interface, just calls
* Compiler::_expand_interface()
*/
virtual void _expand_interface(libfwbuilder::Rule *rule,
libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);
/*
*************************************************************************
*

7
src/iptlib/NATCompiler_ipt.cpp
View File

@ -210,12 +210,13 @@ int NATCompiler_ipt::prolog()
}
void NATCompiler_ipt::_expandInterface(Interface *iface,
std::list<FWObject*> &ol)
void NATCompiler_ipt::_expand_interface(Rule *rule,
Interface *iface,
std::list<FWObject*> &ol)
{
std::list<FWObject*> nol;
Compiler::_expandInterface(iface,ol);
Compiler::_expand_interface(rule, iface, ol);
physAddress *pa=iface->getPhysicalAddress();
/*

5
src/iptlib/NATCompiler_ipt.h
View File

@ -84,8 +84,9 @@ namespace fwcompiler {
* the class combinedAddress here from each pair of physAddress
* and IPV4
*/
virtual void _expandInterface(libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);
virtual void _expand_interface(libfwbuilder::Rule *rule,
libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);

13
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -287,8 +287,9 @@ string PolicyCompiler_ipt::getNewChainName(PolicyRule *rule,
return str.str();
}
void PolicyCompiler_ipt::_expandInterface(Interface *iface,
std::list<FWObject*> &ol)
void PolicyCompiler_ipt::_expand_interface(Rule *rule,
Interface *iface,
std::list<FWObject*> &ol)
{
std::list<FWObject*> ol1;
@ -296,7 +297,7 @@ void PolicyCompiler_ipt::_expandInterface(Interface *iface,
std::list<FWObject*> lother;
physAddress *pa=NULL;
Compiler::_expandInterface(iface,ol1);
Compiler::_expand_interface(rule, iface,ol1);
for (std::list<FWObject*>::iterator j=ol1.begin(); j!=ol1.end(); j++)
{
if ((*j)->getTypeName() == IPv4::TYPENAME)
@ -323,7 +324,7 @@ void PolicyCompiler_ipt::_expandInterface(Interface *iface,
/* At this point we have physAddress object and have to deal with it
*
* Compiler::_expandInterface picks all IPv4 objects and physAddress
* Compiler::_expand_interface picks all IPv4 objects and physAddress
* object under Interface; it can also add interface object(s) to
* the list.
*
@ -2751,7 +2752,7 @@ bool PolicyCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::processNext()
/*
* remember, behavior of this processor has been changed in virtual
* method _expandInterface
* method _expand_interface
*/
bool PolicyCompiler_ipt::expandMultipleAddressesIfNotFWinSrc::processNext()
{
@ -4105,7 +4106,7 @@ void PolicyCompiler_ipt::compile()
" swap MultiAddress -> MultiAddressRunTime in Dst"));
/* behavior of processors ExpandMultiple... has been changed in
* virtual method _expandInterface */
* virtual method _expand_interface */
add( new ExpandMultipleAddressesInSrc(
"expand objects with multiple addresses in SRC"));
add( new ExpandMultipleAddressesInDst(

5
src/iptlib/PolicyCompiler_ipt.h
View File

@ -118,8 +118,9 @@ protected:
* the class combinedAddress here from each pair of physAddress
* and IPV4
*/
virtual void _expandInterface(libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);
virtual void _expand_interface(libfwbuilder::Rule *rule,
libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);
/**

6
test/pix/cluster-tests.fwb
View File

@ -282,7 +282,7 @@
</Library>
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
<Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1258413993" platform="pix" name="cluster1" comment="" ro="False">
<Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1263972639" platform="pix" name="cluster1" comment="" ro="False">
<NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -295,7 +295,7 @@
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id2374X75741"/>
<ObjectRef ref="id2379X75741"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
@ -445,7 +445,7 @@
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id2377X75741" type="none" name="cluster1:e1:members" comment="">
<FailoverClusterGroup id="id2377X75741" master_iface="id2843X69605" type="none" name="cluster1:e1:members" comment="">
<ObjectRef ref="id2843X69605"/>
<ObjectRef ref="id2936X39486"/>
<ClusterGroupOptions>