onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 02:37:16 +01:00
Code Issues Releases Wiki Activity

see #2113 looks like I need to support at least three patterns to cver different versions of PIX and ASA software. Moving routines that guess label and security level to platforms.cpp so I can use QString

Browse Source
This commit is contained in:
Vadim Kurland 2011-02-21 13:04:11 -08:00
parent f909d073eb
commit 49e79663a8
6 changed files with 197 additions and 191 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
src/libfwbuilder/src/fwbuilder/InterfaceData.cpp
View File

@ -121,164 +121,3 @@ InterfaceData::~InterfaceData()
addr_mask.clear();
}
void InterfaceData::guessLabel(const string&)
{
/*
* some firewalls report fairly regular names for interfaces through
* their built-in SNMP agent. We can use this to assign labels
* automatically.
*
* in PIX interfaces have names like "PIX Firewall 'inside' interface"
*
*/
string pat1 = "PIX Firewall '";
string pat2 = "Adaptive Security Appliance '";
string pat3 = "' interface";
string::size_type p2;
if ( name.find(pat1)==0 && (p2=name.find(pat3))!=string::npos )
label = name.substr( pat1.size() , p2-pat1.size() );
if ( name.find(pat2)==0 && (p2=name.find(pat3))!=string::npos )
label = name.substr( pat2.size() , p2-pat2.size() );
if (!isDyn &&
!isUnnumbered &&
!isBridgePort &&
addr_mask.size()!=0 &&
addr_mask.front()->getAddressPtr()->toString() == InetAddr::getLoopbackAddr().toString())
label = "loopback";
}
void InterfaceData::guessSecurityLevel(const string&)
{
InetAddrMask n10(InetAddr("10.0.0.0"), InetAddr("255.0.0.0"));
InetAddrMask n172(InetAddr("172.16.0.0"), InetAddr("255.240.0.0"));
InetAddrMask n192(InetAddr("192.168.0.0"), InetAddr("255.255.0.0"));
securityLevel = -1;
string llbl = label;
for (string::size_type i=0; i<llbl.length(); i++)
llbl[i] = tolower( llbl[i] );
if ( llbl=="out" ||
llbl=="ext" ||
llbl=="internet" ||
llbl=="wan" ||
llbl=="dsl" ||
llbl=="cable" ||
llbl.find("outside")!=string::npos ||
llbl.find("external")!=string::npos) securityLevel = 0;
if ( llbl=="lan" ||
llbl=="in" ||
llbl.find("inside")!=string::npos ||
llbl.find("internal")!=string::npos ) securityLevel = 100;
if ( llbl.find("dmz")!=string::npos ) securityLevel = 50;
if ( (*(addr_mask.front()->getAddressPtr()))==InetAddr::getLoopbackAddr())
securityLevel = 100;
if (name=="Null0") securityLevel = 100;
if (securityLevel==-1 && !isDyn && !isUnnumbered && !isBridgePort)
{
if (n10.belongs( InetAddr( *(addr_mask.front()->getAddressPtr()) ) ))
securityLevel = 100;
if (n172.belongs( InetAddr( *(addr_mask.front()->getAddressPtr()) ) ))
securityLevel = 100;
if (n192.belongs( InetAddr( *(addr_mask.front()->getAddressPtr()) ) ))
securityLevel = 100;
}
if (isDyn || isUnnumbered || isBridgePort) securityLevel = 0;
if (securityLevel==-1) securityLevel = 0;
}
class sort_order_func_adaptor
{
public:
explicit sort_order_func_adaptor() {}
bool operator()(const InterfaceData &a, const InterfaceData &b)
{
if (a.label=="outside") return true;
if (b.label=="inside") return true;
return (a.securityLevel<b.securityLevel || a.label<b.label || a.name<b.name);
}
};
void InterfaceData::guessSecurityLevel(const string &platform,
list<InterfaceData> &ifaces)
{
// first pass - try to find internal and external interfaces and
// assign sec. levels and labels
// bool supports_security_levels=Resources::getTargetCapabilityBool(platform,
// "security_levels");
list<InterfaceData> res;
if (ifaces.size()==1)
{
ifaces.front().guessSecurityLevel(platform);
return;
}
if (ifaces.size()==2)
{
const InetAddr *address = ifaces.front().addr_mask.front()->getAddressPtr();
if (*address==InetAddr::getLoopbackAddr())
{
ifaces.front().securityLevel=100;
ifaces.back().securityLevel=0;
} else
{
const InetAddr *address = ifaces.back().addr_mask.front()->getAddressPtr();
if (*address==InetAddr::getLoopbackAddr())
{
ifaces.front().securityLevel=0;
ifaces.back().securityLevel=100;
} else
{
ifaces.front().guessSecurityLevel(platform);
ifaces.back().guessSecurityLevel(platform);
}
}
ifaces.sort(sort_order_func_adaptor());
return;
}
else
{
for (list<InterfaceData>::iterator i=ifaces.begin(); i!=ifaces.end(); i++)
{
i->guessSecurityLevel(platform);
}
}
ifaces.sort(sort_order_func_adaptor());
// second pass - Assign sec. levels evenly if it is pix, or all zeros in all other cases.
int sec_level_step= 100 / ( ifaces.size() - 1 );
int sec_level = 0;
for (list<InterfaceData>::iterator i=ifaces.begin(); i!=ifaces.end(); i++)
{
i->securityLevel=sec_level;
sec_level += sec_level_step;
}
}

25
src/libfwbuilder/src/fwbuilder/InterfaceData.h
View File

@ -66,31 +66,6 @@ public:
InterfaceData(const libfwbuilder::Interface &iface);
virtual ~InterfaceData();
/**
* this method is a collection of heuristics that allow us to assign
* a reasonable label to the interface based on firewall platform,
* name of the interface, its label and other parameters.
*/
void guessLabel(const std::string &platform);
/**
* this method is a collection of heuristics that allow us to make an
* educated guess about interface's security level based on the
* firewall platform, name of the interface, its label and other
* parameters.
*/
void guessSecurityLevel(const std::string &platform);
/**
* This method is a collection of heuristics that allow us to assign
* a reasonable security level to many interfaces based on firewall
* platform, their names and labels and other parameters. This method
* compares parameters of many interfaces and in certain cases can
* guess their relative security levels.
*/
static void guessSecurityLevel(const std::string &platform,
std::list<InterfaceData> &interfaces);
};
}

7
src/libgui/newFirewallDialog.cpp
View File

@ -387,7 +387,7 @@ void newFirewallDialog::monitor()
if (idata->ostatus)
{
idata->guessLabel(platform.toStdString());
guessInterfaceLabel(idata);
if (platform == "pix" || platform == "fwsm")
{
@ -396,6 +396,7 @@ void newFirewallDialog::monitor()
QString name = idata->name.c_str();
name.replace("Adaptive Security Appliance '", "");
name.replace("Cisco PIX Security Appliance '", "");
name.replace("PIX Firewall '", "");
name.replace("' interface", "");
idata->name = name.toStdString();
@ -780,8 +781,8 @@ void newFirewallDialog::getInterfaceDataFromInterfaceEditor(
{
try
{
idata.guessSecurityLevel(
readPlatform(m_dialog->platform).toStdString() );
guessSecurityLevel(
readPlatform(m_dialog->platform).toStdString(), &idata);
}
catch (FWException &ex)
{

2
src/libgui/newHostDialog.cpp
View File

@ -251,7 +251,7 @@ void newHostDialog::monitor()
InterfaceData* idata = &(i->second);
if ( idata->ostatus )
{
idata->guessLabel("");
guessInterfaceLabel(idata);
this->m_dialog->interfaceEditor->addInterfaceFromData(idata);
}
}

164
src/libgui/platforms.cpp
View File

@ -1107,4 +1107,168 @@ void setDefaultFailoverGroupAttributes(FailoverClusterGroup *grp)
}
}
void guessInterfaceLabel(InterfaceData *idata)
{
/*
* some firewalls report fairly regular names for interfaces through
* their built-in SNMP agent. We can use this to assign labels
* automatically.
*
* in PIX interfaces have names like "PIX Firewall 'inside' interface"
*
*/
QString qs_name = idata->name.c_str();
QString qs_label;
QRegExp pat1("Adaptive Security Appliance '(.*)' interface");
QRegExp pat2("Cisco PIX Security Appliance '(.*)' interface");
QRegExp pat3("PIX Firewall '(.*)' interface");
if (pat1.indexIn(qs_name) > -1) qs_label = pat1.cap(1);
if (pat2.indexIn(qs_name) > -1) qs_label = pat2.cap(1);
if (pat3.indexIn(qs_name) > -1) qs_label = pat3.cap(1);
idata->label = qs_label.toStdString();
if ( ! idata->isDyn &&
! idata->isUnnumbered &&
! idata->isBridgePort &&
idata->addr_mask.size()!=0 &&
idata->addr_mask.front()->getAddressPtr()->toString() == InetAddr::getLoopbackAddr().toString())
idata->label = "loopback";
}
void guessSecurityLevel(const string&, InterfaceData *idata)
{
InetAddrMask n10(InetAddr("10.0.0.0"), InetAddr("255.0.0.0"));
InetAddrMask n172(InetAddr("172.16.0.0"), InetAddr("255.240.0.0"));
InetAddrMask n192(InetAddr("192.168.0.0"), InetAddr("255.255.0.0"));
idata->securityLevel = -1;
string llbl = idata->label;
for (string::size_type i=0; i<llbl.length(); i++)
llbl[i] = tolower( llbl[i] );
if ( llbl=="out" ||
llbl=="ext" ||
llbl=="internet" ||
llbl=="wan" ||
llbl=="dsl" ||
llbl=="cable" ||
llbl.find("outside")!=string::npos ||
llbl.find("external")!=string::npos) idata->securityLevel = 0;
if ( llbl=="lan" ||
llbl=="in" ||
llbl.find("inside")!=string::npos ||
llbl.find("internal")!=string::npos ) idata->securityLevel = 100;
if ( llbl.find("dmz")!=string::npos ) idata->securityLevel = 50;
if ( (*(idata->addr_mask.front()->getAddressPtr()))==InetAddr::getLoopbackAddr())
idata->securityLevel = 100;
if (idata->name=="Null0") idata->securityLevel = 100;
if (idata->securityLevel==-1 &&
! idata->isDyn && ! idata->isUnnumbered && ! idata->isBridgePort)
{
if (n10.belongs( InetAddr( *(idata->addr_mask.front()->getAddressPtr()) ) ))
idata->securityLevel = 100;
if (n172.belongs( InetAddr( *(idata->addr_mask.front()->getAddressPtr()) ) ))
idata->securityLevel = 100;
if (n192.belongs( InetAddr( *(idata->addr_mask.front()->getAddressPtr()) ) ))
idata->securityLevel = 100;
}
if (idata->isDyn || idata->isUnnumbered || idata->isBridgePort)
idata->securityLevel = 0;
if (idata->securityLevel==-1) idata->securityLevel = 0;
}
class sort_order_func_adaptor
{
public:
explicit sort_order_func_adaptor() {}
bool operator()(const InterfaceData &a, const InterfaceData &b)
{
if (a.label=="outside") return true;
if (b.label=="inside") return true;
return (a.securityLevel<b.securityLevel || a.label<b.label || a.name<b.name);
}
};
void guessSecurityLevel(const string &platform, list<InterfaceData> &ifaces)
{
// first pass - try to find internal and external interfaces and
// assign sec. levels and labels
// bool supports_security_levels=Resources::getTargetCapabilityBool(platform,
// "security_levels");
list<InterfaceData> res;
if (ifaces.size()==1)
{
guessSecurityLevel(platform, &(ifaces.front()));
return;
}
if (ifaces.size()==2)
{
const InetAddr *address = ifaces.front().addr_mask.front()->getAddressPtr();
if (*address==InetAddr::getLoopbackAddr())
{
ifaces.front().securityLevel=100;
ifaces.back().securityLevel=0;
} else
{
const InetAddr *address = ifaces.back().addr_mask.front()->getAddressPtr();
if (*address==InetAddr::getLoopbackAddr())
{
ifaces.front().securityLevel=0;
ifaces.back().securityLevel=100;
} else
{
guessSecurityLevel(platform, &(ifaces.front()));
guessSecurityLevel(platform, &(ifaces.back()));
}
}
ifaces.sort(sort_order_func_adaptor());
return;
}
else
{
for (list<InterfaceData>::iterator i=ifaces.begin(); i!=ifaces.end(); i++)
{
guessSecurityLevel(platform, &(*i));
}
}
ifaces.sort(sort_order_func_adaptor());
// second pass - Assign sec. levels evenly if it is pix, or all zeros in all other cases.
int sec_level_step= 100 / ( ifaces.size() - 1 );
int sec_level = 0;
for (list<InterfaceData>::iterator i=ifaces.begin(); i!=ifaces.end(); i++)
{
i->securityLevel=sec_level;
sec_level += sec_level_step;
}
}

29
src/libgui/platforms.h
View File

@ -37,7 +37,8 @@
#include <list>
#include <utility>
#include <fwbuilder/Rule.h>
#include "fwbuilder/Rule.h"
#include "fwbuilder/InterfaceData.h"
namespace libfwbuilder
@ -96,6 +97,32 @@ void setInterfaceTypes(QComboBox *iface_type,
libfwbuilder::Interface *iface,
const QString &current_type);
/**
* this method is a collection of heuristics that allow us to assign
* a reasonable label to the interface based on firewall platform,
* name of the interface, its label and other parameters.
*/
void guessInterfaceLabel(libfwbuilder::InterfaceData *idata);
/**
* this method is a collection of heuristics that allow us to make an
* educated guess about interface's security level based on the
* firewall platform, name of the interface, its label and other
* parameters.
*/
void guessSecurityLevel(const std::string &platform,
libfwbuilder::InterfaceData *idata);
/**
* This method is a collection of heuristics that allow us to assign
* a reasonable security level to many interfaces based on firewall
* platform, their names and labels and other parameters. This method
* compares parameters of many interfaces and in certain cases can
* guess their relative security levels.
*/
void guessSecurityLevel(const std::string &platform,
std::list<libfwbuilder::InterfaceData> &interfaces);
/**
* !!! returns a list of log levels that can be used to populate qcombobox
* !!! widget. I do not see how log levels can be different for various