support for tos and dscp matching in ios access lists

2026-05-02 07:07:32 +02:00 · 2008-07-06 02:35:45 +00:00 · 2008-07-06 02:35:45 +00:00 · 6766d917b9
commit 6766d917b9
parent ce2508e93a
4 changed files with 1101 additions and 3979 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,7 +1,11 @@
 2008-07-05  Vadim Kurland  <vadim@vk.crocodile.org>

+	* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTOS):
+	Support for TOS and DSCP matching in IOS access lists.
+
 	* PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService):
-	Support for tos matching in compiler for pf.
+	Support for tos matching in compiler for pf. PF does not support
+	DSCP matching.

 	* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): Support for
 	TOS and DSCP matching in compiler for iptables.
--- a/src/iosacl/PolicyCompiler_iosacl.h
+++ b/src/iosacl/PolicyCompiler_iosacl.h
@ -195,6 +195,7 @@ namespace fwcompiler {
            std::string _printACL(libfwbuilder::PolicyRule *r);
            std::string _printLog(libfwbuilder::PolicyRule *r);
            std::string _printFragm(libfwbuilder::Service *srv);
+            std::string _printTOS(libfwbuilder::Service *srv);

            std::string _printRule(libfwbuilder::PolicyRule *rule);

--- a/src/iosacl/PolicyCompiler_iosacl_writers.cpp
+++ b/src/iosacl/PolicyCompiler_iosacl_writers.cpp
@ -262,6 +262,7 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
    aclstr << _printLog( rule );
    // "fragments" should be the last option in the access-list command
    aclstr << _printFragm( compiler->getFirstSrv(rule) );
+    aclstr << _printTOS( compiler->getFirstSrv(rule) );

 //    aclstr << endl;

@ -331,12 +332,27 @@ string PolicyCompiler_iosacl::PrintRule::_printSrcService(libfwbuilder::Service

 string PolicyCompiler_iosacl::PrintRule::_printFragm(Service *srv)
 {
-    if (IPService::isA(srv) && (srv->getBool("fragm") || srv->getBool("short_fragm")))
+    if (IPService::isA(srv) && (
+            srv->getBool("fragm") || srv->getBool("short_fragm")))
        return "fragments ";
    
    return "";
 }

+string PolicyCompiler_iosacl::PrintRule::_printTOS(Service *srv)
+{
+    const IPService *ip;
+    if ((ip=IPService::constcast(srv))!=NULL)
+    {
+        string tos = ip->getTOSCode();
+        string dscp = ip->getDSCPCode();
+        if (!dscp.empty()) return string("dscp ") + dscp;
+        else
+            if (!tos.empty()) return string("tos ") + tos;
+    }
+    return "";
+}
+
 string PolicyCompiler_iosacl::PrintRule::_printDstService(Service *srv)
 {
    ostringstream  str;
--- a/test/iosacl/objects.fwb
+++ b/test/iosacl/objects.fwb