onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 03:07:20 +01:00
Code Issues Releases Wiki Activity

refs #1109 dropping rules that cause fatal errors

Browse Source
This commit is contained in:
Vadim Kurland 2010-01-19 23:54:09 +00:00
parent f89f63ebae
commit 6b95f0d8c4
9 changed files with 148 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2385
#define BUILD_NUM 2387

6
doc/ChangeLog
View File

@ -1,6 +1,10 @@
2010-01-19 vadim <vadim@vk.crocodile.org>
* ../src/cisco_lib/Helper.cpp (triplet::hash): fixes #1104:
* ../src/cisco_lib/NATCompiler_pix.cpp (VerifyRules::processNext):
fixes #1104: policy compiler for PIX crashed when it enountered
NAT rule trying to trsnslate both source and destination addresses.
* ../src/cisco_lib/Helper.cpp (triplet::hash): fixes #1105:
compiler for PIX crashed when interface with dynamic address
was used in ODst of a NAT rule.

5
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -603,6 +603,7 @@ bool PolicyCompiler_cisco::replaceFWinDSTPolicy::processNext()
str << "Address " << addr
<< " does not match address or network zone of any interface." ;
compiler->abort(rule, str.str());
return true;
}
}
}
@ -758,10 +759,12 @@ bool PolicyCompiler_cisco::processMultiAddressObjectsInRE::processNext()
if (FWReference::cast(o)!=NULL) o = FWReference::cast(o)->getPointer();
MultiAddress *atrt = MultiAddress::cast(o);
if (atrt!=NULL && atrt->isRunTime())
{
compiler->abort(
rule,
"Run-time AddressTable and DNSName objects are not supported.");
return true;
}
}
tmp_queue.push_back(rule);

8
src/cisco_lib/PolicyCompiler_cisco_acls.cpp
View File

@ -213,8 +213,8 @@ bool PolicyCompiler_cisco::pickACL::processNext()
rule->getInterfaceId()));
if(rule_iface==NULL)
{
compiler->abort(
rule, "Missing interface assignment");
compiler->abort(rule, "Missing interface assignment");
return true;
}
/*
@ -240,11 +240,13 @@ bool PolicyCompiler_cisco::pickACL::processNext()
}
if (rule->getDirection() == PolicyRule::Outbound && !generate_out_acl)
{
compiler->abort(
rule,
"Rule with direction 'Outbound' requires outbound ACL "
"but option 'Generate outbound access lists' is OFF.");
return true;
}
/* The choice of the ACL name depends on whether this is a named
* acl or not. If not, should use unique numbers. Also need to

34
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -197,10 +197,13 @@ bool PolicyCompiler_pix::checkVersionAndDynamicInterface::findDynamicInterface(
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Interface *iface=Interface::cast(obj);
if (iface!=NULL && iface->isDyn() && (vers=="6.1" || vers=="6.2"))
{
compiler->abort(
rule,
"Dynamic interface can be used in the policy rule only "
"in v6.3 or later.");
return false;
}
}
return true;
@ -208,11 +211,9 @@ bool PolicyCompiler_pix::checkVersionAndDynamicInterface::findDynamicInterface(
bool PolicyCompiler_pix::checkVersionAndDynamicInterface::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyRule *rule = getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
Service *s=compiler->getFirstSrv(rule);
Service *s = compiler->getFirstSrv(rule);
/* if service is ssh, telnet or icmp then we can use dynamic interface
* even in earlier versions */
@ -220,13 +221,22 @@ bool PolicyCompiler_pix::checkVersionAndDynamicInterface::processNext()
if (TCPService::isA(s))
{
if ( s->getInt("dst_range_start")==22 &&
s->getInt("dst_range_end")==22) return true;
s->getInt("dst_range_end")==22)
{
tmp_queue.push_back(rule);
return true;
}
if ( s->getInt("dst_range_start")==23 &&
s->getInt("dst_range_end")==23) return true;
s->getInt("dst_range_end")==23)
{
tmp_queue.push_back(rule);
return true;
}
}
findDynamicInterface(rule,rule->getSrc());
findDynamicInterface(rule,rule->getDst());
if (findDynamicInterface(rule,rule->getSrc()) &&
findDynamicInterface(rule,rule->getDst()))
tmp_queue.push_back(rule);
return true;
}
@ -247,20 +257,24 @@ bool PolicyCompiler_pix::SpecialServices::processNext()
if (s->getBool("rr") ||
s->getBool("ssrr") ||
s->getBool("ts") )
{
compiler->abort(
rule,
"PIX does not support checking for IP options in ACLs.");
return true;
}
}
if (TCPService::cast(s)!=NULL) {
if (s->getBool("ack_flag") ||
s->getBool("fin_flag") ||
s->getBool("rst_flag") ||
s->getBool("syn_flag") )
{
compiler->abort(
rule,
"PIX does not support checking for TCP options in ACLs.");
return true;
}
}
tmp_queue.push_back(rule);

91
src/iptlib/NATCompiler_ipt.cpp
View File

@ -491,8 +491,6 @@ bool NATCompiler_ipt::VerifyRules::processNext()
{
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
RuleElementOSrc *osrc=rule->getOSrc(); assert(osrc);
RuleElementODst *odst=rule->getODst(); assert(odst);
RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv);
@ -502,35 +500,53 @@ bool NATCompiler_ipt::VerifyRules::processNext()
RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv);
if (tsrc->getNeg())
{
compiler->abort(
rule,
"Can not use negation in translated source ");
return true;
}
if (tdst->getNeg())
{
compiler->abort(
rule,
"Can not use negation in translated destination.");
return true;
}
if (tsrv->getNeg())
{
compiler->abort(
rule,
"Can not use negation in translated service.");
return true;
}
if (tsrv->size()!=1)
{
compiler->abort(
rule,
"Translated service should be 'Original' or should contain single object.");
return true;
}
if ( Group::cast( compiler->getFirstTSrv(rule) )!=NULL)
{
compiler->abort(
rule,
"Can not use group in translated service.");
return true;
}
if (rule->getRuleType()==NATRule::LB)
{
compiler->abort(
rule,
"Load balancing rules are not supported.");
return true;
}
// Note that in -xt mode and in single rule compile compiler->abort
// does not really abort processing
@ -538,16 +554,22 @@ bool NATCompiler_ipt::VerifyRules::processNext()
{
RuleSet *branch = rule->getBranch();
if (branch == NULL)
{
compiler->abort(
rule,
"Action 'Branch' needs NAT rule set to point to");
else
return true;
} else
{
if (!NAT::isA(branch))
{
compiler->abort(
rule,
"Action 'Branch' must point to a NAT rule set "
"(points to " + branch->getTypeName() + ")");
return true;
}
}
}
@ -555,13 +577,22 @@ bool NATCompiler_ipt::VerifyRules::processNext()
{
FWObject *o1 = FWReference::getObject(tsrc->front());
if ( ! tsrc->isAny() && Network::cast(o1)!=NULL)
{
compiler->abort(
rule,
"Can not use network object in translated source.");
return true;
}
if (Interface::isA(o1) && Interface::cast(o1)->isUnnumbered())
compiler->abort(rule,
"Can not use unnumbered interface in "
"Translated Source of a Source translation rule.");
{
compiler->abort(
rule,
"Can not use unnumbered interface in "
"Translated Source of a Source translation rule.");
return true;
}
}
if (rule->getRuleType()==NATRule::SNetnat && !tsrc->isAny() )
@ -570,9 +601,13 @@ bool NATCompiler_ipt::VerifyRules::processNext()
Network *a2=Network::cast(compiler->getFirstTSrc(rule));
if ( a1==NULL || a2==NULL ||
a1->getNetmaskPtr()->getLength() != a2->getNetmaskPtr()->getLength() )
{
compiler->abort(
rule,
"Original and translated source should both be networks of the same size.");
return true;
}
}
if (rule->getRuleType()==NATRule::DNetnat && !tsrc->isAny() )
@ -581,11 +616,17 @@ bool NATCompiler_ipt::VerifyRules::processNext()
Network *a2=Network::cast(compiler->getFirstTDst(rule));
if ( a1==NULL || a2==NULL ||
a1->getNetmaskPtr()->getLength() != a2->getNetmaskPtr()->getLength() )
{
compiler->abort(
rule,
"Original and translated destination should both be networks of the same size .");
return true;
}
}
tmp_queue.push_back(rule);
return true;
}
@ -598,8 +639,6 @@ bool NATCompiler_ipt::VerifyRules2::processNext()
{
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if (rule->getRuleType()!= NATRule::Return)
{
RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv);
@ -609,15 +648,24 @@ bool NATCompiler_ipt::VerifyRules2::processNext()
Service *s2=compiler->getFirstTSrv(rule);
if (osrv->isAny() && ! tsrv->isAny())
{
compiler->abort(
rule,
"Can not use service object in Translated Service if Original Service is 'Any'.");
return true;
}
if (!tsrv->isAny() && s1->getProtocolNumber()!=s2->getProtocolNumber())
{
compiler->abort(
rule,
"Translated Service should be either 'Original' or should contain object of the same type as Original Service.");
return true;
}
}
tmp_queue.push_back(rule);
return true;
}
@ -1172,8 +1220,8 @@ bool NATCompiler_ipt::ExpandAddressRanges::processNext()
void NATCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces(RuleElement *re,
Rule *rule)
void NATCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces(
RuleElement *re, Rule *rule)
{
if (re->isAny()) return;
@ -1898,8 +1946,7 @@ bool NATCompiler_ipt::splitNATBranchRule::processNext()
}
else
{
compiler->abort(rule,
"NAT branching rule misses branch rule set.");
compiler->abort(rule, "NAT branching rule misses branch rule set.");
// in case we are in the test mode and abort() does not
// really abort. Both the chain and the target are bogus
// and are needed only to make the compiler continue and
@ -2253,21 +2300,21 @@ bool NATCompiler_ipt::verifyRuleWithMAC::processNext()
{
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
RuleElementOSrc *rel = rule->getOSrc();
if (rel->isAny())
{
tmp_queue.push_back(rule);
return true;
}
string chain=rule->getStr("ipt_chain");
string chain = rule->getStr("ipt_chain");
if (chain!="PREROUTING" &&
chain!="FORWARD" &&
chain!="INPUT" )
if (chain!="PREROUTING" && chain!="FORWARD" && chain!="INPUT" )
{
/* scan all objects in OSrc, look for physAddress or combinedAddress
* with pa present. Objects like that are not allowed in chain POSTROUTING.
* Issue warning and remove physAddress from the list.
*/
RuleElementOSrc *rel= rule->getOSrc();
if (rel->isAny()) return true;
list<FWObject*> cl;
FWObject *pa=NULL;
for (FWObject::iterator i=rel->begin(); i!=rel->end(); i++)
@ -2309,6 +2356,7 @@ bool NATCompiler_ipt::verifyRuleWithMAC::processNext()
"SNAT rule can not match MAC address, however after removing object %s from OSrc it becomes 'Any'",
pa->getName().c_str());
compiler->abort(rule, errmsg );
return true;
}
else
{
@ -2320,6 +2368,7 @@ bool NATCompiler_ipt::verifyRuleWithMAC::processNext()
}
}
tmp_queue.push_back(rule);
return true;
}

50
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -2473,9 +2473,12 @@ bool PolicyCompiler_ipt::checkSrcAndDst1::processNext()
if (!compiler->isFirewallOrCluster(src) &&
compiler->isFirewallOrCluster(dst) &&
rule->getDirection()==PolicyRule::Outbound )
{
compiler->abort(
rule,
"direction can not be outbound when destination is firewall");
return true;
}
tmp_queue.push_back(rule);
return true;
@ -2491,9 +2494,12 @@ bool PolicyCompiler_ipt::checkSrcAndDst2::processNext()
if (compiler->isFirewallOrCluster(src) &&
!compiler->isFirewallOrCluster(dst) &&
rule->getDirection()==PolicyRule::Inbound )
{
compiler->abort(
rule,
"direction can not be inbound when source is firewall");
return true;
}
tmp_queue.push_back(rule);
return true;
@ -2703,10 +2709,10 @@ bool PolicyCompiler_ipt::specialCaseWithUnnumberedInterface::processNext()
return true;
}
void PolicyCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces(RuleElement *re,
Rule *rule)
bool PolicyCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces(
RuleElement *re, Rule *rule)
{
if (re->isAny()) return;
if (re->isAny()) return true;
list<FWObject*> cl;
for (list<FWObject*>::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
@ -2725,8 +2731,10 @@ void PolicyCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::findDynamicInt
ifs->getParent()->getName().c_str());
compiler->abort(rule, errstr);
return false;
}
}
return true;
}
@ -2734,10 +2742,10 @@ bool PolicyCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
findDynamicInterfaces( rule->getSrc() , rule );
findDynamicInterfaces( rule->getDst() , rule );
if (findDynamicInterfaces( rule->getSrc() , rule ) &&
findDynamicInterfaces( rule->getDst() , rule ))
tmp_queue.push_back(rule);
tmp_queue.push_back(rule);
return true;
}
@ -3106,15 +3114,21 @@ bool PolicyCompiler_ipt::finalizeChain::processNext()
Address *src = compiler->getFirstSrc(rule);
if (src==NULL)
{
compiler->abort(
rule,
"finalizeChain: Empty Source rule element in rule");
return true;
}
Address *dst =compiler->getFirstDst(rule);
if (dst==NULL)
{
compiler->abort(
rule,
"finalizeChain: Empty Destination rule element in rule");
return true;
}
bool b,m;
/*
@ -3244,20 +3258,26 @@ bool PolicyCompiler_ipt::removeFW::processNext()
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if (compiler->osconfigurator->getNumOfVirtualAddressesForNat()==0 &&
! rule->getBool("upstream_rule_neg") )
{
RuleElementSrc *srcrel = rule->getSrc();
Address *src = compiler->getFirstSrc(rule);
if (src==NULL) compiler->abort(
if (src==NULL)
{
compiler->abort(
rule, "removeFW: Empty Source rule element in rule");
return true;
}
RuleElementDst *dstrel = rule->getDst();
Address *dst = compiler->getFirstDst(rule);
if (dst==NULL) compiler->abort(
if (dst==NULL)
{
compiler->abort(
rule, "removeFW: Empty Destination rule element in rule");
return true;
}
string chain = rule->getStr("ipt_chain");
@ -3275,6 +3295,8 @@ bool PolicyCompiler_ipt::removeFW::processNext()
srcrel->reset();
}
}
tmp_queue.push_back(rule);
return true;
}
@ -3282,8 +3304,6 @@ bool PolicyCompiler_ipt::checkMACinOUTPUTChain::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if ( rule->getStr("ipt_chain")=="OUTPUT" )
{
// RuleElementSrc *srcrel=rule->getSrc();
@ -3291,13 +3311,15 @@ bool PolicyCompiler_ipt::checkMACinOUTPUTChain::processNext()
assert(src);
if (physAddress::isA(src))
{
compiler->abort(
rule, "Can not match MAC address of the firewall");
return true;
}
if (combinedAddress::isA(src))
{
compiler->warning(
rule,
"Can not match MAC address of the firewall "
"(chain OUTPUT) ");
@ -3305,6 +3327,8 @@ bool PolicyCompiler_ipt::checkMACinOUTPUTChain::processNext()
}
}
tmp_queue.push_back(rule);
return true;
}

2
src/iptlib/PolicyCompiler_ipt.h
View File

@ -555,7 +555,7 @@ protected:
friend class checkForDynamicInterfacesOfOtherObjects;
class checkForDynamicInterfacesOfOtherObjects : public PolicyRuleProcessor
{
void findDynamicInterfaces(libfwbuilder::RuleElement *re,
bool findDynamicInterfaces(libfwbuilder::RuleElement *re,
libfwbuilder::Rule *rule);
public:
checkForDynamicInterfacesOfOtherObjects(const std::string &name) : PolicyRuleProcessor(name) {}

2
test/pix/quick-cmp.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh
DIFFCMD="diff -C 5 -c -b -B -w -I \"# Generated\" -I 'Activating ' -I '# Firewall Builder fwb_pix v' -I 'Can not find file' -I '====' -I 'log '"
DIFFCMD="diff -C 5 -c -b -B -w -I \"! Generated\" -I 'Activating ' -I '! Firewall Builder fwb_pix v' -I 'Can not find file' -I '====' -I 'log '"
for f in $(ls *.fw.orig)
do