onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 18:57:14 +01:00
Code Issues Releases Wiki Activity

* PIXImporter.cpp (finalize): see #2277 "Create policy objects for

Browse Source 
ASA access-lists that are not applied in an access-group". Policy
rule set will be created and populated with rules found in the
corresponding access-list even if this access-list is not applied
to an interface with access-group command.
This commit is contained in:
Vadim Kurland 2011-03-25 16:02:15 -07:00
parent b89afcc87a
commit 5bfcc226cb
3 changed files with 39 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/ChangeLog
View File

@ -1,5 +1,11 @@
2011-03-25 vadim <vadim@netcitadel.com>
* PIXImporter.cpp (finalize): see #2277 "Create policy objects for
ASA access-lists that are not applied in an access-group". Policy
rule set will be created and populated with rules found in the
corresponding access-list even if this access-list is not applied
to an interface with access-group command.
* parsers/pix.g (tcp_udp_rule_extended): see #2273 Improvements in
the parser for PIX/ASA configs to make it recognize object-group
and named object names used to define source port, destination

9
src/import/IOSImporter.cpp
View File

@ -264,8 +264,13 @@ void IOSImporter::MergeRules::move(FWObject* r)
target_ruleset->reparent(rule);
RuleElementItf* re =rule->getItf();
re->addRef(intf);
if (intf)
{
RuleElementItf* re =rule->getItf();
assert(re);
re->addRef(intf);
}
rule->setDirection(dir);
std::string prev_comment = rule->getComment();

35
src/import/PIXImporter.cpp
View File

@ -35,6 +35,7 @@
#include "interfaceProperties.h"
#include "interfacePropertiesObjectFactory.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Network.h"
@ -290,7 +291,26 @@ Firewall* PIXImporter::finalize()
{
qDebug() << " irs->name=" << irs->name.c_str();
qDebug() << " irs->intf_dir.size()=" << irs->intf_dir.size();
qDebug() << " irs->ruleset->getName()="
<< irs->ruleset->getName().c_str();
qDebug() << " irs->ruleset->size()=" << irs->ruleset->size();
FWObject *p = irs->ruleset->getParent();
qDebug() << " irs->ruleset->getParent()=" << p;
if (p)
qDebug() << " " << p->getName().c_str();
qDebug() << " fw=" << fw;
qDebug() << " policy=" << policy;
}
if (irs->intf_dir.size() == 0)
{
// no interface and direction information for this rule set
// Perhaps no access-group command ?
FWObjectDatabase *dbroot = fw->getRoot();
FWObject *new_ruleset = dbroot->create(
irs->ruleset->getTypeName());
fw->add(new_ruleset);
new_ruleset->duplicate(irs->ruleset);
}
// optimization: If we have several interfaces for
@ -304,6 +324,7 @@ Firewall* PIXImporter::finalize()
// to the same interface both in and out (although in
// this case we have already switched direction to "both")
//
if (irs->intf_dir.size()>1)
{
std::list<std::string> all_in;
@ -311,15 +332,11 @@ Firewall* PIXImporter::finalize()
std::list<std::string> all_both;
std::map<std::string,std::string>::iterator i;
for (i = irs->intf_dir.begin();
i != irs->intf_dir.end(); ++i)
for (i = irs->intf_dir.begin(); i != irs->intf_dir.end(); ++i)
{
if ( (*i).second=="in")
all_in.push_back( (*i).first );
if ( (*i).second=="out")
all_out.push_back( (*i).first );
if ( (*i).second=="both")
all_both.push_back( (*i).first );
if ( (*i).second=="in") all_in.push_back( (*i).first );
if ( (*i).second=="out") all_out.push_back( (*i).first );
if ( (*i).second=="both") all_both.push_back( (*i).first );
}
FWObject *og;
@ -399,7 +416,7 @@ Firewall* PIXImporter::finalize()
rs->renumberRules();
}
return getFirewallObject();
return fw;
}
else
{