onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

fixes #591 using configlet to generate interface configuration commands for PIX

Browse Source
This commit is contained in:
Vadim Kurland 2009-11-10 19:27:20 +00:00
parent 414ca6cfb5
commit 672b8ff586
9 changed files with 162 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1711
#define BUILD_NUM 1712

5
doc/ChangeLog
View File

@ -1,5 +1,10 @@
2009-11-10 vadim <vadim@vk.crocodile.org>
* OSConfigurator_pix_os.cpp (OSConfigurator_pix_os::_printInterfaceConfiguration):
Using configlet to generate interface configuration commands for
PIX. Now user can change generated script if necessary without
making changes in the fwbuilder code.
* ObjectManipulator.cpp (ObjectManipulator::libChanged):
Experimental change in the GUI, new feature: Now the program does
not switch object in the editor on a single click in the tree.

83
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -162,57 +162,58 @@ string CompilerDriver_pix::run(const std::string &cluster_id,
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
cluster = Cluster::cast(objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
Firewall *fw = Firewall::cast(objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
// Copy rules from the cluster object
populateClusterElements(cluster, fw);
// PIX failover is dfferent from VRRP and other failover protocols
// in that it does not create new virtual address. Instead, each
// unit is configured with two ip addresses, one for the active
// unit and another for standby one. When active unit fails, the
// other one assumes its address.
//
// This matters because when we use cluster object or one of its
// interfaces in rules, compiler should expand it to the set of
// addresses that includes addresses of the corresponding
// interface of both member firewalls. Method
// CompilerDriver::copyFailoverInterface adds a copy of firewall
// interface to the cluster object. This works for all firewalls,
// but for PIX we need to add copies of interfaces from both
// members.
//
FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME);
for (; cl_iface != cl_iface.end(); ++cl_iface)
if (cluster)
{
FailoverClusterGroup *failover_group =
FailoverClusterGroup::cast(
(*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME));
if (failover_group)
// PIX failover is dfferent from VRRP and other failover protocols
// in that it does not create new virtual address. Instead, each
// unit is configured with two ip addresses, one for the active
// unit and another for standby one. When active unit fails, the
// other one assumes its address.
//
// This matters because when we use cluster object or one of its
// interfaces in rules, compiler should expand it to the set of
// addresses that includes addresses of the corresponding
// interface of both member firewalls. Method
// CompilerDriver::copyFailoverInterface adds a copy of firewall
// interface to the cluster object. This works for all firewalls,
// but for PIX we need to add copies of interfaces from both
// members.
//
FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME);
for (; cl_iface != cl_iface.end(); ++cl_iface)
{
FWObject *this_member_interface = NULL;
list<FWObject*> other_member_interfaces;
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
FailoverClusterGroup *failover_group =
FailoverClusterGroup::cast(
(*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME));
if (failover_group)
{
FWObject *intf = FWObjectReference::getObject(*it);
assert(intf);
if (intf->isChildOf(fw)) this_member_interface = intf;
else other_member_interfaces.push_back(intf);
}
if (!other_member_interfaces.empty())
{
for (list<FWObject*>::iterator it=other_member_interfaces.begin();
it!=other_member_interfaces.end(); ++it)
FWObject *this_member_interface = NULL;
list<FWObject*> other_member_interfaces;
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
cluster->addCopyOf(*it, true);
FWObject *intf = FWObjectReference::getObject(*it);
assert(intf);
if (intf->isChildOf(fw)) this_member_interface = intf;
else other_member_interfaces.push_back(intf);
}
if (!other_member_interfaces.empty())
{
for (list<FWObject*>::iterator it=other_member_interfaces.begin();
it!=other_member_interfaces.end(); ++it)
{
cluster->addCopyOf(*it, true);
}
}
}
}

20
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -715,15 +715,14 @@ void NATCompiler_pix::UseFirewallInterfaces::scanInterfaces(RuleElement *rel)
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
Address *obj=Address::cast(o);
if(obj==NULL)
compiler->abort(
rel->getParent(),
"Broken rule element "+
rel->getTypeName()+
" in rule "+
NATRule::cast(rel->getParent())->getLabel()+
" ( found object with type "+
string((o!=NULL)?o->getTypeName():"<NULL>") +
")");
compiler->abort(rel->getParent(),
"Broken rule element "+
rel->getTypeName()+
" in rule "+
NATRule::cast(rel->getParent())->getLabel()+
" ( found object with type "+
string((o!=NULL)?o->getTypeName():"<NULL>") +
")");
const InetAddr *obj_addr = obj->getAddressPtr();
if (obj_addr==NULL) return;
@ -1566,6 +1565,9 @@ void NATCompiler_pix::compile()
add( new emptyGroupsInTSrv("check for empty groups in TSRV"));
add( new ExpandGroups("expand groups"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC"));
add( new eliminateDuplicatesInODST("eliminate duplicates in ODST"));
add( new eliminateDuplicatesInOSRV("eliminate duplicates in OSRV"));

119
src/cisco_lib/OSConfigurator_pix_os.cpp
View File

@ -34,6 +34,9 @@
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "Configlet.h"
#include <list>
#include <algorithm>
#include <functional>
@ -72,10 +75,14 @@ void OSConfigurator_pix_os::processFirewallOptions()
output << endl;
}
output << _printNameif();
output << endl;
output << _printIPAddress();
//output << _printNameif();
//output << endl;
//output << _printIPAddress();
//output << endl;
output << _printInterfaceConfiguration();
output << endl;
output << _printLogging();
output << endl;
output << _printTimeouts();
@ -90,87 +97,52 @@ void OSConfigurator_pix_os::processFirewallOptions()
output << endl;
}
string OSConfigurator_pix_os::_printNameif()
string OSConfigurator_pix_os::_printInterfaceConfiguration()
{
ostringstream res;
string version = fw->getStr("version");
string platform = fw->getStr("platform");
string::size_type n;
bool version_ge_70 = XMLTools::version_compare(version, "7.0") >= 0;
bool configure_addresses = fw->getOptionsObject()->getBool("pix_ip_address");
list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface=dynamic_cast<Interface*>(*i);
assert(iface);
string nameifCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/version_")+
version+"/pix_commands/nameif");
if ((n = nameifCmd.find("%il"))!=string::npos)
nameifCmd.replace(n,3,iface->getLabel());
if ((n = nameifCmd.find("%in"))!=string::npos)
nameifCmd.replace(n,3,iface->getName());
if ((n = nameifCmd.find("%sl"))!=string::npos)
Configlet interface_config(fw, "pix_os", "configure_interfaces");
interface_config.removeComments();
interface_config.collapseEmptyStrings(true);
interface_config.setVariable("pix_version_lt_70", ! version_ge_70);
interface_config.setVariable("pix_version_ge_70", version_ge_70);
interface_config.setVariable("configure_interface_address",
configure_addresses);
interface_config.setVariable("interface_name", iface->getName().c_str());
interface_config.setVariable("interface_label", iface->getLabel().c_str());
interface_config.setVariable("security_level", iface->getSecurityLevel());
interface_config.setVariable("static_address", ! iface->isDyn());
interface_config.setVariable("dhcp_address", iface->isDyn());
if (!iface->isDyn())
{
ostringstream sls;
sls << iface->getSecurityLevel();
nameifCmd.replace(n,3,sls.str());
QString addr = iface->getAddressPtr()->toString().c_str();
QString netm = iface->getNetmaskPtr()->toString().c_str();
interface_config.setVariable("address", addr);
interface_config.setVariable("netmask", netm);
}
res << nameifCmd;
res << interface_config.expand().toStdString();
res << endl;
res << endl;
}
res << endl;
return res.str();
}
string OSConfigurator_pix_os::_printIPAddress()
{
ostringstream res;
string version = fw->getStr("version");
string platform = fw->getStr("platform");
string setAddrCmd;
string::size_type n;
if ( fw->getOptionsObject()->getBool("pix_ip_address") )
{
list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface=dynamic_cast<Interface*>(*i);
assert(iface);
if (iface->isDyn())
{
setAddrCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/version_")+
version+"/pix_commands/ip_addr_dyn");
} else
{
setAddrCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/version_")+
version+"/pix_commands/ip_addr_static");
}
if ((n = setAddrCmd.find("%il"))!=string::npos)
setAddrCmd.replace(n,3,iface->getLabel());
if ((n = setAddrCmd.find("%in"))!=string::npos)
setAddrCmd.replace(n,3,iface->getName());
if ((n = setAddrCmd.find("%a"))!=string::npos)
setAddrCmd.replace(n,2,iface->getAddressPtr()->toString());
if ((n = setAddrCmd.find("%n"))!=string::npos)
setAddrCmd.replace(n,2,iface->getNetmaskPtr()->toString());
res << setAddrCmd;
}
}
res << endl;
return res.str();
}
string OSConfigurator_pix_os::_printLogging()
{
Helper helper(this);
@ -278,7 +250,7 @@ string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,
return str.str();
}
string OSConfigurator_pix_os::_printSNMP()
string OSConfigurator_pix_os::_printSNMP()
{
ostringstream str;
string version = fw->getStr("version");
@ -304,14 +276,16 @@ string OSConfigurator_pix_os::_printSNMP()
} else
{
if (set_communities) {
if (set_communities)
{
string read_c = fw->getManagementObject()->
getSNMPManagement()->getReadCommunity();
str << endl;
str << "snmp-server community " << read_c << endl;
}
if (set_sysinfo) {
if (set_sysinfo)
{
string location=fw->getOptionsObject()->getStr("snmp_location");
string contact =fw->getOptionsObject()->getStr("snmp_contact");
str << endl;
@ -321,7 +295,8 @@ string OSConfigurator_pix_os::_printSNMP()
str << "snmp-server contact " << contact << endl;
}
if (enable_traps) {
if (enable_traps)
{
str << endl;
str << "snmp-server enable traps" << endl;
} else {
@ -364,7 +339,7 @@ string OSConfigurator_pix_os::_printNTPServer(const std::string &srv,bool pref)
return str.str();
}
string OSConfigurator_pix_os::_printNTP()
string OSConfigurator_pix_os::_printNTP()
{
ostringstream res;
string version = fw->getStr("version");
@ -396,7 +371,7 @@ string OSConfigurator_pix_os::_printNTP()
return res.str();
}
string OSConfigurator_pix_os::_printSysopt()
string OSConfigurator_pix_os::_printSysopt()
{
ostringstream res;
string platform = fw->getStr("platform");

6
src/cisco_lib/OSConfigurator_pix_os.h
View File

@ -37,8 +37,10 @@ namespace fwcompiler {
class OSConfigurator_pix_os : public OSConfigurator {
std::string _printNameif();
std::string _printIPAddress();
//std::string _printNameif();
//std::string _printIPAddress();
std::string _printInterfaceConfiguration();
std::string _printLogging();
std::string _printSNMPServer(const std::string &srv,int poll_trap);

47
src/res/configlets/pix_os/configure_interfaces Normal file
View File

@ -0,0 +1,47 @@
## -*- mode: shell-script; -*-
##
{{if static_address}}
{{if pix_version_lt_70}}
nameif {{$interface_name}} {{$interface_label}} security{{$security_level}}
{{if configure_interface_address}}
ip address {{$interface_label}} {{$address}} {{$netmask}}
{{endif}}
{{endif}}
{{if pix_version_ge_70}}
interface {{$interface_name}}
nameif {{$interface_label}}
{{if configure_interface_address}}
ip address {{$address}} {{$netmask}}
{{endif}}
security-level {{$security_level}}
exit
{{endif}}
{{endif}}
{{if dhcp_address}}
{{if pix_version_lt_70}}
nameif {{$interface_name}} {{$interface_label}} security{{$security_level}}
{{if configure_interface_address}}
ip address {{$interface_label}} dhcp setroute retry 10
{{endif}}
{{endif}}
{{if pix_version_ge_70}}
interface {{$interface_name}}
nameif {{$interface_label}}
{{if configure_interface_address}}
ip address dhcp setroute
{{endif}}
security-level {{$security_level}}
exit
{{endif}}
{{endif}}

47
src/res/platform/pix.xml
View File

@ -44,6 +44,7 @@
<pix_route_dnat_supported>true</pix_route_dnat_supported>
<pix_outbound_acl_supported>false</pix_outbound_acl_supported>
<pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
<pix_commands>
<clear_acl>clear access-list</clear_acl>
<clear_og>clear object-group</clear_og>
@ -56,15 +57,6 @@
<clear_static>clear static</clear_static>
<clear_global>clear global</clear_global>
<clear_nat>clear nat</clear_nat>
<ip_addr_static>
ip address %il %a %n
</ip_addr_static>
<ip_addr_dyn>
ip address %il dhcp setroute retry 10
</ip_addr_dyn>
<nameif>
nameif %in %il security%sl
</nameif>
</pix_commands>
<timeouts>
@ -132,6 +124,7 @@ nameif %in %il security%sl
<pix_route_dnat_supported>true</pix_route_dnat_supported>
<pix_outbound_acl_supported>false</pix_outbound_acl_supported>
<pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
<pix_commands>
<clear_acl>clear access-list</clear_acl>
<clear_og>clear object-group</clear_og>
@ -144,15 +137,6 @@ nameif %in %il security%sl
<clear_static>clear static</clear_static>
<clear_global>clear global</clear_global>
<clear_nat>clear nat</clear_nat>
<ip_addr_static>
ip address %il %a %n
</ip_addr_static>
<ip_addr_dyn>
ip address %il dhcp setroute retry 10
</ip_addr_dyn>
<nameif>
nameif %in %il security%sl
</nameif>
</pix_commands>
<timeouts>
@ -220,6 +204,7 @@ nameif %in %il security%sl
<pix_route_dnat_supported>false</pix_route_dnat_supported>
<pix_outbound_acl_supported>false</pix_outbound_acl_supported>
<pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
<pix_commands>
<clear_acl>clear access-list</clear_acl>
<clear_og>clear object-group</clear_og>
@ -232,15 +217,6 @@ nameif %in %il security%sl
<clear_static>clear static</clear_static>
<clear_global>clear global</clear_global>
<clear_nat>clear nat</clear_nat>
<ip_addr_static>
ip address %il %a %n
</ip_addr_static>
<ip_addr_dyn>
ip address %il dhcp setroute retry 10
</ip_addr_dyn>
<nameif>
nameif %in %il security%sl
</nameif>
</pix_commands>
<timeouts>
@ -308,6 +284,7 @@ nameif %in %il security%sl
<pix_route_dnat_supported>false</pix_route_dnat_supported>
<pix_outbound_acl_supported>true</pix_outbound_acl_supported>
<pix_timeout_rpc_is_sunrpc>true</pix_timeout_rpc_is_sunrpc>
<pix_commands>
<clear_acl>clear config access-list</clear_acl>
<clear_og>clear config object-group</clear_og>
@ -320,22 +297,6 @@ nameif %in %il security%sl
<clear_static>clear config static</clear_static>
<clear_global>clear config global</clear_global>
<clear_nat>clear config nat</clear_nat>
<ip_addr_static>
interface %in
ip address %a %n
exit
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp setroute
exit
</ip_addr_dyn>
<nameif>
interface %in
nameif %il
security-level %sl
exit
</nameif>
</pix_commands>
<timeouts>

2
test/pix/run.all
View File

@ -9,7 +9,7 @@ while (<>) {
$str=~ /<Firewall [^>]+name="([^"]*).*$"/;
$fw=$1;
printf "echo ====================== $fw =========================================\n";
printf "fwb_pix -v -f $XMLFILE $fw \n";
printf "fwb_pix -v -xt -f $XMLFILE $fw \n";
$str=~ s/^.*<Firewall [^>]+name="$fw"[^>]+>//;
}
}