onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-06-25 02:19:37 +02:00
Code Issues Releases Wiki Activity

Feature: Added Junos support

Browse Source
This commit is contained in:
Sirius Bakke
2014-04-04 10:24:59 +02:00
parent 4c5ba9abc7
commit 70000f0ec7
50 changed files with 6237 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -41,6 +41,7 @@ fwb_ipt
fwb_pf
fwb_pix
fwb_procurve_acl
fwb_junosacl
transfer_secuwall
.configure_marker
.build_marker

2
VERSION
View File

@@ -14,6 +14,6 @@ VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"
GENERATION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION"
# Data format version
FWBUILDER_XML_VERSION=23
FWBUILDER_XML_VERSION=24

2
src/compiler_lib/compiler_lib.pro
View File

@@ -18,6 +18,7 @@ SOURCES = CompilerDriver.cpp \
freebsdInterfaces.cpp \
nxosInterfaces.cpp \
iosInterfaces.cpp \
junosInterfaces.cpp \
procurveInterfaces.cpp \
pixInterfaces.cpp \
interfacePropertiesObjectFactory.cpp \
@@ -32,6 +33,7 @@ HEADERS = ../../config.h \
freebsdInterfaces.h \
nxosInterfaces.h \
iosInterfaces.h \
junosInterfaces.h \
procurveInterfaces.h \
pixInterfaces.h \
interfacePropertiesObjectFactory.h \

3
src/compiler_lib/interfacePropertiesObjectFactory.cpp
View File

@@ -28,6 +28,7 @@
#include "linux24Interfaces.h"
#include "nxosInterfaces.h"
#include "iosInterfaces.h"
#include "junosInterfaces.h"
#include "procurveInterfaces.h"
#include "openbsdInterfaces.h"
#include "freebsdInterfaces.h"
@@ -64,6 +65,8 @@ interfaceProperties* interfacePropertiesObjectFactory::getInterfacePropertiesObj
if (os_family == "ios") return new iosInterfaces();
if (os_family == "junos") return new junosInterfaces();
if (os_family == "pix_os" || os_family == "ios") return new pixInterfaces();
if (os_family == "openbsd") return new openbsdInterfaces();

83
src/compiler_lib/junosInterfaces.cpp Normal file
View File

@@ -0,0 +1,83 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "junosInterfaces.h"
#include "fwbuilder/Interface.h"
#include <QDebug>
#include <QObject>
#include <QRegExp>
using namespace std;
using namespace libfwbuilder;
bool junosInterfaces::parseVlan(const QString &name, QString *base_name, int *vlan_id)
{
QRegExp vlan_name_pattern("unit (\\d{1,})");
if (vlan_name_pattern.indexIn(name) != -1)
{
if (base_name!=NULL) *base_name = QString("unit");
if (vlan_id!=NULL) *vlan_id = vlan_name_pattern.cap(1).toInt();
return true;
}
return false;
}
// simple name validation: DOES allow space and "-"
bool junosInterfaces::basicValidateInterfaceName(Interface *,
const QString &obj_name,
QString &err)
{
return true;
}
bool junosInterfaces::isValidVlanInterfaceName(const QString &subint_name,
const QString &parent_name,
QString &err)
{
if (!looksLikeVlanInterface(subint_name))
{
err = QObject::tr("'%1' is not a valid unit name")
.arg(subint_name);
return false;
}
QString parent_name_from_regex;
int vlan_id;
if (parseVlan(subint_name, &parent_name_from_regex, &vlan_id))
{
if (vlan_id > 16384)
{
err = QObject::tr("'%1' looks like a name of a unit "
"but the unit number it defines is outside of the valid "
"range.").arg(subint_name);
return false;
}
}
return true;
}

48
src/compiler_lib/junosInterfaces.h Normal file
View File

@@ -0,0 +1,48 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef JUNOS_INTERFACE_PROPERTIES_HH
#define JUNOS_INTERFACE_PROPERTIES_HH
#include "interfaceProperties.h"
class junosInterfaces : public interfaceProperties
{
public:
junosInterfaces() : interfaceProperties() {}
// simple name validation: DOES allow space and "-"
virtual bool basicValidateInterfaceName(libfwbuilder::Interface *intf,
const QString &proposed_name,
QString &err);
virtual bool parseVlan(const QString&, QString*, int*);
virtual bool isValidVlanInterfaceName(const QString &subint_name,
const QString &parent_name,
QString &err);
};
#endif

1
src/gui/gui.pro
View File

@@ -52,6 +52,7 @@ OTHER_LIBS = ../common/$$BINARY_SUBDIR/libcommon.a \
../iptlib/$$BINARY_SUBDIR/libiptlib.a \
../pflib/$$BINARY_SUBDIR/libfwbpf.a \
../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \
../juniper_lib/$$BINARY_SUBDIR/libfwbjuniper.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a

42
src/juniper_lib/CompilerDriver_junosacl.cpp Normal file
View File

@@ -0,0 +1,42 @@
#include "../../config.h"
#include <string>
#include "CompilerDriver_junosacl.h"
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
#include <QString>
#ifdef _WIN32
string fs_separator = "\\";
#else
string fs_separator = "/";
#endif
CompilerDriver_junosacl::CompilerDriver_junosacl(FWObjectDatabase *db) :
CompilerDriver(db)
{
}
// create a copy of itself, including objdb
CompilerDriver* CompilerDriver_junosacl::clone()
{
CompilerDriver_junosacl* new_cd = new CompilerDriver_junosacl(objdb);
if (inEmbeddedMode()) new_cd->setEmbeddedMode();
return new_cd;
}
void CompilerDriver_junosacl::printProlog(QTextStream &file, const string &prolog_code)
{
file << endl;
file << "/*" << endl;
file << " * Prolog script" << endl;
file << " */" << endl;
file << prolog_code << endl;
file << "/*" << endl;
file << " * End of prolog script" << endl;
file << " */" << endl;
}

55
src/juniper_lib/CompilerDriver_junosacl.h Normal file
View File

@@ -0,0 +1,55 @@
#ifndef __COMPILER_DRIVER_JUNOSACL_HH__
#define __COMPILER_DRIVER_JUNOSACL_HH__
#include "CompilerDriver.h"
#include <string>
#include <sstream>
#include <QTextStream>
namespace libfwbuilder {
class FWObjectDatabase;
class Cluster;
class ClusterGroup;
class Firewall;
class RuleSet;
class Interface;
};
namespace fwcompiler {
class NamedObjectsManager;
class CompilerDriver_junosacl : public CompilerDriver
{
protected:
std::string system_configuration_script;
std::string policy_script;
void printProlog(QTextStream &file, const std::string &prolog_code);
virtual QString assembleManifest(libfwbuilder::Cluster *cluster,
libfwbuilder::Firewall *fw,
bool cluster_member);
virtual QString printActivationCommands(libfwbuilder::Firewall *fw);
virtual QString assembleFwScript(libfwbuilder::Cluster *cluster,
libfwbuilder::Firewall* fw,
bool cluster_member,
OSConfigurator *oscnf);
public:
CompilerDriver_junosacl(libfwbuilder::FWObjectDatabase *db);
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
virtual QString run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id);
};
}
#endif // __COMPILER_DRIVER_JUNOSACL_HH__

339
src/juniper_lib/CompilerDriver_junosacl_run.cpp Normal file
View File

@@ -0,0 +1,339 @@
#include "../../config.h"
#include "CompilerDriver_junosacl.h"
#include "OSConfigurator_junos.h"
#include "cisco_lib/NamedObjectsManager.h"
#include "cisco_lib/NamedObjectsAndGroupsSupport.h"
#include "PolicyCompiler_junosacl.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/XMLTools.h"
#include "fwcompiler/Preprocessor.h"
#include <QStringList>
#include <QFileInfo>
#include <QFile>
#include <QTextStream>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
QString CompilerDriver_junosacl::assembleManifest(Cluster*, Firewall*, bool)
{
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script << "/* " << MANIFEST_MARKER
<< " * " << this->escapeFileName(file_names[FW_FILE]) << " */" << endl;
return script_buffer;
}
QString CompilerDriver_junosacl::printActivationCommands(Firewall *)
{
return QString();
}
QString CompilerDriver_junosacl::assembleFwScript(Cluster *cluster,
Firewall *fw,
bool cluster_member,
OSConfigurator *oscnf)
{
Configlet script_skeleton(fw, "junos", "script_skeleton");
Configlet top_comment(fw, "junos", "top_comment");
script_skeleton.setVariable("system_configuration_script",
QString::fromUtf8(system_configuration_script.c_str()));
script_skeleton.setVariable("policy_script",
QString::fromUtf8(policy_script.c_str()));
FWOptions* options = fw->getOptionsObject();
options->setStr("prolog_script", options->getStr("junosacl_prolog_script"));
options->setStr("epilog_script", options->getStr("junosacl_epilog_script"));
// we do not offer user a choice of the place where to put prolog
// lines, therefore we can reset this attribute to make sure it
// does not interfere
options->setStr("prolog_place", "");
assembleFwScriptInternal(cluster, fw, cluster_member,
oscnf, &script_skeleton, &top_comment, "!", true);
return script_skeleton.expand();
}
QString CompilerDriver_junosacl::run(const string &cluster_id,
const string &firewall_id,
const string &single_rule_id)
{
Cluster *cluster = NULL;
Firewall *fw = NULL;
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
try
{
clearReadOnly(fw);
// Copy rules from the cluster object
populateClusterElements(cluster, fw);
commonChecks2(cluster, fw);
// Note that fwobjectname may be different from the name of the
// firewall fw This happens when we compile a member of a cluster
current_firewall_name = fw->getName().c_str();
determineOutputFileNames(cluster, fw, !cluster_id.empty(),
QStringList(""), QStringList("fw"),
QStringList(""));
/* Now that all checks are done, we can drop copies of cluster
* interfaces that were added to the firewall by
* CompilerDriver::populateClusterElements()
*/
list<FWObject*> all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
list<FWObject*> copies_of_cluster_interfaces;
for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i)
{
Interface *iface = Interface::cast(*i);
assert(iface);
if (iface->getOptionsObject()->getBool("cluster_interface"))
copies_of_cluster_interfaces.push_back(iface);
}
while (copies_of_cluster_interfaces.size())
{
fw->remove(copies_of_cluster_interfaces.front());
copies_of_cluster_interfaces.pop_front();
}
FWOptions* options = fw->getOptionsObject();
string fwvers = fw->getStr("version");
if (fwvers == "") fw->setStr("version", "11.2");
if (fwvers == "11.x") fw->setStr("version", "11.2");
string platform = fw->getStr("platform");
std::auto_ptr<OSConfigurator_junos> oscnf(new OSConfigurator_junos(objdb, fw, false));
oscnf->prolog();
oscnf->processFirewallOptions();
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
// assign unique rule ids that later will be used to generate
// chain names. This should be done after calls to
// findImportedRuleSets()
// NB: these ids are not used by this compiler
assignUniqueRuleIds(all_policies);
vector<int> ipv4_6_runs;
// // // // //NamedObjectsManager named_objects_manager(persistent_objects, fw);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
// be generated. If "-6" is used, only ipv6 part will be generated.
// If neither is used, both parts will be done.
if (options->getStr("ipv4_6_order").empty() ||
options->getStr("ipv4_6_order") == "ipv4_first")
{
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
if (ipv6_run) ipv4_6_runs.push_back(AF_INET6);
}
if (options->getStr("ipv4_6_order") == "ipv6_first")
{
if (ipv6_run) ipv4_6_runs.push_back(AF_INET6);
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
}
string object_groups_definitions;
for (vector<int>::iterator i=ipv4_6_runs.begin();
i!=ipv4_6_runs.end(); ++i)
{
int policy_af = *i;
bool ipv6_policy = (policy_af == AF_INET6);
// Count rules for each address family
int policy_count = 0;
for (list<FWObject*>::iterator p=all_policies.begin();
p!=all_policies.end(); ++p)
{
Policy *policy = Policy::cast(*p);
if (policy->matchingAddressFamily(policy_af)) policy_count++;
}
if (policy_count)
{
std::auto_ptr<Preprocessor> prep(new Preprocessor(objdb, fw, false));
if (inTestMode()) prep->setTestMode();
if (inEmbeddedMode()) prep->setEmbeddedMode();
prep->compile();
}
for (list<FWObject*>::iterator p=all_policies.begin();
p!=all_policies.end(); ++p)
{
Policy *policy = Policy::cast(*p);
if (!policy->matchingAddressFamily(policy_af)) continue;
PolicyCompiler_junosacl c(objdb, fw, ipv6_policy, oscnf.get());
// // // // //c.setNamedObjectsManager(&named_objects_manager);
c.setSourceRuleSet( policy );
c.setRuleSetName(policy->getName());
c.setPersistentObjects(persistent_objects);
c.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) c.setTestMode();
if (inEmbeddedMode()) c.setEmbeddedMode();
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
c.setVerbose( verbose );
if ( c.prolog() > 0)
{
c.compile();
c.epilog();
if (!single_rule_compile_on)
{
if (ipv6_policy)
{
policy_script += "\n\n";
policy_script += "# ================ IPv6\n";
policy_script += "\n\n";
} else {
policy_script += "\n\n";
policy_script += "# ================ IPv4\n";
policy_script += "\n\n";
}
}
if (c.haveErrorsAndWarnings())
{
all_errors.push_back(c.getErrors("").c_str());
}
policy_script += c.getCompiledScript();
} else {
info(" Nothing to compile in Policy");
}
}
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());
}
// // // // //object_groups_definitions +=
// // // // // named_objects_manager.getNamedObjectsDefinitions();
if (single_rule_compile_on)
{
return formSingleRuleCompileOutput(
QString::fromUtf8(
(object_groups_definitions +
policy_script).c_str()));
}
system_configuration_script += object_groups_definitions;
QString script_buffer = assembleFwScript(
cluster, fw, !cluster_id.empty(), oscnf.get());
QString ofname = getAbsOutputFileName(file_names[FW_FILE]);
info("Output file name: " + ofname.toStdString());
QFile fw_file(ofname);
if (fw_file.open(QIODevice::WriteOnly))
{
QTextStream fw_str(&fw_file);
fw_str << script_buffer;
fw_file.close();
fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner |
QFile::ReadGroup | QFile::ReadOther |
QFile::ExeOwner |
QFile::ExeGroup |
QFile::ExeOther );
info(" Compiled successfully");
} else {
QString err(" Failed to open file %1 for writing: %2; Current dir: %3");
abort(err.arg(fw_file.fileName())
.arg(fw_file.error()).arg(QDir::current().path()).toStdString());
}
if (!all_errors.isEmpty())
status = BaseCompiler::FWCOMPILER_WARNING;
}
catch (FWException &ex)
{
status = BaseCompiler::FWCOMPILER_ERROR;
return QString::fromUtf8((ex.toString().c_str()));
}
return "";
}

93
src/juniper_lib/OSConfigurator_junos.cpp Normal file
View File

@@ -0,0 +1,93 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "OSConfigurator_junos.h"
#include "cisco_lib/Helper.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include <list>
#include <algorithm>
#include <functional>
#include <assert.h>
#include <iostream>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
string OSConfigurator_junos::myPlatformName() { return "junos"; }
int OSConfigurator_junos::prolog()
{
string host_os = fw->getStr("host_OS");
if (host_os!="junos")
abort("Unsupported OS " + host_os );
return Compiler::prolog();
}
void OSConfigurator_junos::processFirewallOptions()
{
}
string OSConfigurator_junos::_printNameif()
{
ostringstream res;
return res.str();
}
string OSConfigurator_junos::_printIPAddress()
{
ostringstream res;
return res.str();
}
string OSConfigurator_junos::_printLogging()
{
ostringstream str;
return str.str();
}
void OSConfigurator_junos::addVirtualAddressForNAT(const Address*)
{
}
void OSConfigurator_junos::addVirtualAddressForNAT(const Network*)
{
}

60
src/juniper_lib/OSConfigurator_junos.h Normal file
View File

@@ -0,0 +1,60 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _OSNETWORKCONFIGURATOR_JUNOS_HH
#define _OSNETWORKCONFIGURATOR_JUNOS_HH
#include "config.h"
#include "fwcompiler/OSConfigurator.h"
#include <map>
namespace fwcompiler {
class OSConfigurator_junos : public OSConfigurator {
std::string _printNameif();
std::string _printIPAddress();
std::string _printLogging();
public:
virtual ~OSConfigurator_junos() {}
OSConfigurator_junos(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) {}
virtual int prolog();
virtual std::string myPlatformName();
virtual void processFirewallOptions();
virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr);
virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw);
};
}
#endif

585
src/juniper_lib/PolicyCompiler_junosacl.cpp Normal file
View File

@@ -0,0 +1,585 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "PolicyCompiler_junosacl.h"
// #include "NamedObjectsAndGroupsSupport.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/ObjectMirror.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "compiler_lib/junosInterfaces.h"
#include <assert.h>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
string PolicyCompiler_junosacl::myPlatformName() { return "junosacl"; }
PolicyCompiler_junosacl::PolicyCompiler_junosacl(FWObjectDatabase *_db,
Firewall *fw,
bool ipv6_policy,
OSConfigurator *_oscnf) :
PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf)
{
resetinbound = false;
fragguard = false;
comment_symbol = "#";
}
int PolicyCompiler_junosacl::prolog()
{
string version = fw->getStr("version");
string platform = fw->getStr("platform");
string host_os = fw->getStr("host_OS");
if (platform!="junosacl")
abort("Unsupported platform " + platform );
fw->getOptionsObject()->setBool("generate_out_acl", true);
fw->getOptionsObject()->setBool(
"use_acl_remarks",
fw->getOptionsObject()->getBool("iosacl_use_acl_remarks"));
// object_groups = new Group();
// persistent_objects->add( object_groups );
setAllNetworkZonesToNone();
return PolicyCompiler::prolog();
}
bool PolicyCompiler_junosacl::checkForDynamicInterface::findDynamicInterface(
PolicyRule *rule, RuleElement *rel)
{
string vers=compiler->fw->getStr("version");
for (list<FWObject*>::iterator i1=rel->begin(); i1!=rel->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Interface *iface=Interface::cast(obj);
if (iface!=NULL && iface->isDyn())
compiler->abort(
rule,
"Dynamic interface can not be used in the IOS ACL rules.");
}
return true;
}
bool PolicyCompiler_junosacl::checkForDynamicInterface::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
findDynamicInterface(rule,rule->getSrc());
findDynamicInterface(rule,rule->getDst());
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_junosacl::ValidateInterfaceUnitName::processNext()
{
assert(compiler!=NULL);
assert(prev_processor!=NULL);
slurp();
if (tmp_queue.size()==0) return false;
junosInterfaces * jInterface = new junosInterfaces();
for (std::deque<Rule*>::iterator i=tmp_queue.begin(); i!=tmp_queue.end(); ++i)
{
if (PolicyRule *rule = PolicyRule::cast(*i))
if (FWObject *obj = FWReference::getObject(*rule->getItf()->begin())) {
if (!jInterface->parseVlan(QString::fromStdString(obj->getName()), NULL, NULL))
compiler->abort(rule, QString("Interface name error: ")
.append(QString::fromStdString(obj->getName()))
.toStdString());
}
}
return true;
}
/*
* Copy all references from rule element re1 to rule element re2.
*/
void PolicyCompiler_junosacl::mirrorRule::duplicateRuleElement(
RuleElement *re1, RuleElement *re2)
{
re2->clearChildren();
for (list<FWObject*>::iterator i1=re1->begin(); i1!=re1->end(); ++i1)
{
FWObject *obj = FWReference::getObject(*i1);
re2->addRef(obj);
}
}
bool PolicyCompiler_junosacl::mirrorRule::processNext()
{
//PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
if (rule->getOptionsObject()->getBool("iosacl_add_mirror_rule"))
{
PolicyRule *r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setAction(rule->getAction());
switch (rule->getDirection())
{
case PolicyRule::Inbound: r->setDirection(PolicyRule::Outbound); break;
case PolicyRule::Outbound: r->setDirection(PolicyRule::Inbound); break;
default: r->setDirection(PolicyRule::Both); break;
}
RuleElementSrc *osrc = rule->getSrc();
RuleElementDst *odst = rule->getDst();
RuleElementSrv *osrv = rule->getSrv();
RuleElementItf *oitf = rule->getItf();
RuleElementSrc *nsrc = r->getSrc();
RuleElementDst *ndst = r->getDst();
RuleElementSrv *nsrv = r->getSrv();
RuleElementItf *nitf = r->getItf();
duplicateRuleElement(osrc, ndst);
duplicateRuleElement(odst, nsrc);
duplicateRuleElement(oitf, nitf);
if (!osrv->isAny())
{
ObjectMirror mirror;
nsrv->clearChildren();
for (list<FWObject*>::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1)
{
Service *nobj = mirror.getMirroredService(
Service::cast(FWReference::getObject(*i1)));
if (nobj->getParent() == NULL)
compiler->persistent_objects->add(nobj, false);
nsrv->addRef(nobj);
}
}
tmp_queue.push_back(r);
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_junosacl::SpecialServices::processNext()
{
//PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Service *s = compiler->getFirstSrv(rule);
if (IPService::cast(s)!=NULL)
{
if (s->getBool("rr") ||
s->getBool("ssrr") ||
s->getBool("ts") )
compiler->abort(
rule,
"IOS ACL does not support checking for IP options in ACLs.");
}
if (TCPService::cast(s)!=NULL && TCPService::cast(s)->inspectFlags())
{
string version = compiler->fw->getStr("version");
if (XMLTools::version_compare(version, "12.4")<0)
compiler->abort(rule, "TCP flags match requires IOS v12.4 or later.");
}
tmp_queue.push_back(rule);
return true;
}
/*
* This rule processor is used to separate TCP service objects that
* match tcp flags when generated config uses object-group clause
*/
bool PolicyCompiler_junosacl::splitTCPServiceWithFlags::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementSrv *srv = rule->getSrv();
if (srv->size() > 1)
{
std::list<FWObject*> cl;
for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Service *s=Service::cast(obj);
assert(s!=NULL);
TCPService *tcp_srv = TCPService::cast(s);
if (tcp_srv && (tcp_srv->inspectFlags() || tcp_srv->getEstablished()))
cl.push_back(s);
}
while (!cl.empty())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
RuleElementSrv *nsrv = r->getSrv();
nsrv->clearChildren();
nsrv->addRef( cl.front() );
tmp_queue.push_back(r);
srv->removeRef( cl.front() );
cl.pop_front();
}
if (srv->size()>0) tmp_queue.push_back(rule);
} else
tmp_queue.push_back(rule);
return true;
}
void PolicyCompiler_junosacl::compile()
{
string banner = " Compiling ruleset " + getSourceRuleSet()->getName();
if (ipv6) banner += ", IPv6";
info(banner);
string version = fw->getStr("version");
bool supports_object_groups = XMLTools::version_compare(version, "12.4")>=0 &&
fw->getOptionsObject()->getBool("iosacl_use_object_groups") && ! ipv6;
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
Compiler::compile();
if ( fw->getOptionsObject()->getBool ("check_shading") &&
! inSingleRuleCompileMode())
{
add( new Begin("Detecting rule shadowing" ) );
add( new printTotalNumberOfRules());
add( new ItfNegation("process negation in Itf" ) );
add( new InterfacePolicyRules(
"process interface policy rules and store interface ids"));
add( new recursiveGroupsInSrc("check for recursive groups in SRC"));
add( new recursiveGroupsInDst("check for recursive groups in DST"));
add( new recursiveGroupsInSrv("check for recursive groups in SRV"));
add( new emptyGroupsInSrc( "check for empty groups in SRC" ) );
add( new emptyGroupsInDst( "check for empty groups in DST" ) );
add( new emptyGroupsInSrv( "check for empty groups in SRV" ) );
add( new ExpandGroups("expand groups"));
add( new dropRuleWithEmptyRE(
"drop rules with empty rule elements"));
add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC"));
add( new eliminateDuplicatesInDST("eliminate duplicates in DST"));
add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV"));
//add( new ExpandMultipleAddressesInSrc(
// "expand objects with multiple addresses in SRC" ) );
//add( new ExpandMultipleAddressesInDst(
// "expand objects with multiple addresses in DST" ) );
add( new dropRuleWithEmptyRE(
"drop rules with empty rule elements"));
add( new mirrorRule("Add mirrored rules"));
//add( new ConvertToAtomic("convert to atomic rules" ) );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new DetectShadowing("Detect shadowing" ) );
add( new simplePrintProgress() );
runRuleProcessors();
deleteRuleProcessors();
}
add( new Begin (" Start processing rules" ) );
add( new printTotalNumberOfRules ( ) );
add( new singleRuleFilter());
add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ) );
add( new recursiveGroupsInDst( "check for recursive groups in DST" ) );
add( new recursiveGroupsInSrv( "check for recursive groups in SRV" ) );
add( new emptyGroupsInSrc( "check for empty groups in SRC" ) );
add( new emptyGroupsInDst( "check for empty groups in DST" ) );
add( new emptyGroupsInSrv( "check for empty groups in SRV" ) );
add( new ExpandGroups ("expand groups" ) );
add( new dropRuleWithEmptyRE(
"drop rules with empty rule elements"));
add( new eliminateDuplicatesInSRC( "eliminate duplicates in SRC" ) );
add( new eliminateDuplicatesInDST( "eliminate duplicates in DST" ) );
add( new eliminateDuplicatesInSRV( "eliminate duplicates in SRV" ) );
// TODO: fix processMultiAddressObjects
// add( new processMultiAddressObjectsInSrc(
// "process MultiAddress objects in Src") );
// add( new processMultiAddressObjectsInDst(
// "process MultiAddress objects in Dst") );
add( new expandGroupsInItf("expand groups in Interface" ));
add( new replaceClusterInterfaceInItf(
"replace cluster interfaces with member interfaces in the Interface rule element"));
add( new ItfNegation( "process negation in Itf" ) );
// TODO: does this function do what we want it to do?
add( new InterfacePolicyRules(
"process interface policy rules and store interface ids") );
add( new groupServicesByProtocol ("split rules with different protocols" ) );
add( new ExpandMultipleAddressesInSrc(
"expand objects with multiple addresses in SRC" ) );
// add( new MACFiltering ("check for MAC address filtering" ) );
//// add( new splitByNetworkZonesForSrc ("split rule if objects in Src belong to different network zones " ) );
//// add( new replaceFWinDSTPolicy ("replace fw with its interface in DST in global policy rules") );
add( new ExpandMultipleAddressesInDst(
"expand objects with multiple addresses in DST" ) );
// add( new MACFiltering(
// "check for MAC address filtering" ) );
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
//// add( new splitByNetworkZonesForDst ("split rule if objects in Dst belong to different network zones " ) );
if (ipv6)
add( new DropIPv4Rules("drop ipv4 rules"));
else
add( new DropIPv6Rules("drop ipv6 rules"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new checkForUnnumbered("check for unnumbered interfaces"));
add( new separateSrcAndDstPort("check for services with both src and dst port specified"));
add( new separateSrcPort("split services with src port specified"));
// if ( ! supports_object_groups)
// add( new addressRanges("process address ranges"));
// add( new mirrorRule("Add mirrored rules"));
// add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
// add( new setInterfaceAndDirectionBySrc(
// "Set interface and direction for rules with interface 'all' using SRC"));
// add( new setInterfaceAndDirectionByDst(
// "Set interface and direction for rules with interface 'all' using DST"));
// add( new setInterfaceAndDirectionIfInterfaceSet(
// "Set direction for rules with interface not 'all'"));
// add( new specialCaseWithDynInterface(
// "check for a special cases with dynamic interface" ) );
// first arg is true because we use "ip access-list" for IOS.
// add( new ConvertToAtomic ("convert to atomic rules" ) );
add( new ValidateInterfaceUnitName("validate interface unit name") );
add( new pickACL( true, "assign ACLs" ) );
// add( new SpecialServices( "check for special services" ) );
// add( new CheckForUnsupportedUserService("check for user service") );
// add( new checkForZeroAddr( "check for zero addresses" ) );
// add( new checkForDynamicInterface("check for dynamic interfaces" ) );
// /* remove redundant objects only after all splits has been
// * done, right before object groups are created
// */
// add( new removeRedundantAddressesFromSrc(
// "remove redundant addresses from Src") );
// add( new removeRedundantAddressesFromDst(
// "remove redundant addresses from Dst") );
// add( new checkForObjectsWithErrors(
// "check if we have objects with errors in rule elements"));
// if (supports_object_groups)
// {
// // "object-group service" does not seem to support
// // matching of tcp flags and "established". Need to
// // separate objects using these into separate rules to avoid
// // object-group
// add( new splitTCPServiceWithFlags(
// "separate TCP service with tcp flags"));
// add( new CreateObjectGroupsForSrc("create object groups for Src",
// named_objects_manager));
// add( new CreateObjectGroupsForDst("create object groups for Dst",
// named_objects_manager));
// add( new CreateObjectGroupsForSrv("create object groups for Srv",
// named_objects_manager));
// } else
// {
// add( new ConvertToAtomic ("convert to atomic rules" ) );
// }
// add( new simplePrintProgress());
// add( new createNewCompilerPass("Creating object groups and ACLs"));
// This processor prints each ACL separately in one block.
// It adds comments inside to denote original rules.
//
add( new PrintCompleteACLs("Print ACLs"));
add( new simplePrintProgress());
runRuleProcessors();
}
string PolicyCompiler_junosacl::printAccessGroupCmd(ciscoACL *acl, bool neg)
{
ostringstream str;
string addr_family_prefix = "inet";
if (ipv6) addr_family_prefix = "inet6";
if (getSourceRuleSet()->isTop())
{
string dir;
if (acl->direction()=="in" || acl->direction()=="Inbound") dir="input";
if (acl->direction()=="out" || acl->direction()=="Outbound") dir="output";
str << "interfaces {\n";
str << " " << acl->getInterface()->getParent()->getName() << " {\n";
str << " " << acl->getInterface()->getName() << " {\n";
str << " family " << addr_family_prefix << " {\n";
str << " filter {\n";
string filter_prefix = fw->getOptionsObject()->getStr("filter_prefix");
if (filter_prefix.empty()) filter_prefix = "fwbfilter";
filter_prefix += "_";
str << " " << dir << " " << filter_prefix << acl->workName() << ";\n";
str << " }\n";
str << " }\n";
str << " }\n";
str << " }\n";
str << "}\n";
/*
str << "interface " << acl->getInterface()->getName() << endl;
if (neg) str << " no";
str << " " << addr_family_prefix << " ";
str << getAccessGroupCommandForAddressFamily(ipv6);
str << " " << acl->workName() << " " << dir << endl;
str << "exit" << endl;
*/
}
return str.str();
}
void PolicyCompiler_junosacl::epilog()
{
output << endl;
// output << "Epilog, acls size: " << acls.size() << endl;
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
if (acl->size()!=0) output << printAccessGroupCmd(acl, false);
}
output << endl;
if ( fw->getOptionsObject()->getBool("iosacl_regroup_commands") )
{
info(" Regrouping commands");
regroup();
}
}
string PolicyCompiler_junosacl::getAccessGroupCommandForAddressFamily(bool ipv6)
{
if (ipv6) return "traffic-filter";
return "access-group";
}
string PolicyCompiler_junosacl::printClearCommands()
{
ostringstream output;
string version = fw->getStr("version");
string platform = fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/iosacl_commands/" + xml_element);
assert( !clearACLCmd.empty());
// No need to output "clear" commands in single rule compile mode
if ( fw->getOptionsObject()->getBool("iosacl_acl_basic") ||
fw->getOptionsObject()->getBool("iosacl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl = (*i).second;
output << clearACLCmd << " " << acl->workName() << endl;
}
}
return output.str();
}

316
src/juniper_lib/PolicyCompiler_junosacl.h Normal file
View File

@@ -0,0 +1,316 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __POLICYCOMPILER_JUNOSACL_HH
#define __POLICYCOMPILER_JUNOSACL_HH
#include <fwbuilder/libfwbuilder-config.h>
#include "fwcompiler/PolicyCompiler.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "cisco_lib/Helper.h"
#include "cisco_lib/ACL.h"
#include "cisco_lib/PolicyCompiler_cisco.h"
#include <functional>
namespace libfwbuilder {
class IPService;
class ICMPService;
class TCPService;
class UDPService;
class RuleElementSrc;
class RuleElementDst;
class RuleElementSrv;
class Group;
}
namespace fwcompiler {
class PolicyCompiler_junosacl : public PolicyCompiler_cisco {
protected:
std::string comment_symbol;
/**
* dynamic interfaces can not be used in policy rules in JUNOS ACLs
*/
friend class checkForDynamicInterface;
class checkForDynamicInterface : public PolicyRuleProcessor
{
bool findDynamicInterface(libfwbuilder::PolicyRule *rule,
libfwbuilder::RuleElement *re);
public:
checkForDynamicInterface(const std::string &name) : PolicyRuleProcessor(name) {}
virtual bool processNext();
};
DECLARE_POLICY_RULE_PROCESSOR( ValidateInterfaceUnitName );
/*
*************************************************************************
*
* the following rule processors are intended for IOSACL < 7.0
* the code is in the module PolicyCompiler_iosacl_v6_acls.cpp
*
*************************************************************************
*/
/**
* verifies combination of interface and direction and
* fills interface and direction. After this predicate it
* is guaranteed that both interface and direction have
* some value. In certain situations interface ID may be
* set to "nil" though (e.g. global policy rules).
*/
DECLARE_POLICY_RULE_PROCESSOR( InterfaceAndDirection_v6 );
/**
* if interface has not been defined (this is global policy
* rule), then multiply the rule for each interface and set
* direction to "Inbound"
*/
DECLARE_POLICY_RULE_PROCESSOR( assignRuleToInterface_v6 );
/**
* split rules with direction "both".
* TODO: This is used in OpenBSD pf. Move to class PolicyCompiler
*/
DECLARE_POLICY_RULE_PROCESSOR( SplitDirection_v6 );
/**
* in IOSACL, ACLs are always applied on interface and direction
* can only be "inbound". We emulate outbound ACLs though.
*/
DECLARE_POLICY_RULE_PROCESSOR( EmulateOutboundACL_v6 );
/**
* determine acl rules should belong to
*/
DECLARE_POLICY_RULE_PROCESSOR( pickACL_v6 );
friend class PolicyCompiler_junosacl::pickACL_v6;
/*
*************************************************************************
*
* end of module PolicyCompiler_iosacl_v6_acls.cpp
*
*************************************************************************
*/
/*
*************************************************************************
*
* rule processors intended to manage ACLs for IOSACL < 7.0 are inherited
* from PolicyCompiler_cisco.
* The code is in the module PolicyCompiler_cisco_acls.cpp
*
* The processors assume that all objects in src and dst
* belong to the same network zone (respectively)
*
* All these rule processors assume outbound ACLs are supported.
* Check corresponding capability flag and do not include these
* processors in the processors chain in iosacl.cpp if outbound acls
* are not supported.
*
*************************************************************************
*/
/**
* this processor checks for the services which require
* special treatment. Some of these will be checking for
* source or destination object as well because special
* command may need to be generated in case source or
* destination is a firewall itself. Therefore this processor
* should be called after converting to atomic rules, but
* before interface addresses in source and destination are
* expanded.
*/
DECLARE_POLICY_RULE_PROCESSOR( SpecialServices );
friend class PolicyCompiler_junosacl::SpecialServices;
/**
* to implement action "Reject" add command "service resetinbound"
*/
DECLARE_POLICY_RULE_PROCESSOR( RejectAction );
friend class PolicyCompiler_junosacl::RejectAction;
/**
* Implements "mirrored" rules
*/
class mirrorRule : public PolicyRuleProcessor
{
void duplicateRuleElement(libfwbuilder::RuleElement *re1,
libfwbuilder::RuleElement *re2);
public:
mirrorRule(const std::string &n) : PolicyRuleProcessor(n) {}
virtual bool processNext();
};
friend class PolicyCompiler_junosacl::mirrorRule;
/**
* this processor accumulates all rules fed to it by previous
* * processors, prints commands to clear access-lists, then
* feeds all rules to the next processor. Usually this
* processor is in chain right before PrintRules.
*
* We use this processor to print "clear" commands because
* they need to be generated when all access lists have been
* created but before they are printed.
*/
class ClearACLs : public PolicyRuleProcessor
{
public:
ClearACLs(const std::string &n) : PolicyRuleProcessor(n) {}
virtual bool processNext();
};
friend class PolicyCompiler_junosacl::ClearACLs;
/**
* "object-group service" does not seem to support matching of
* tcp flags and "established". Need to separate objects using
* these into separate rules to avoid object-group
*/
DECLARE_POLICY_RULE_PROCESSOR(splitTCPServiceWithFlags);
friend class PolicyCompiler_junosacl::splitTCPServiceWithFlags;
/**
* this processor prints single policy rule, assuming all
* groups have been expanded, so source, destination and
* service hold exactly one object each, and this object is
* not a group. Negation should also have been taken care of
* before this method is called.
*/
class PrintRule : public PolicyRuleProcessor
{
protected:
std::string current_rule_label1;
std::map<std::string,std::string> current_rule_label2;
int aclLineCounter;
int termNumber;
std::map<std::string,std::string> reject_icmp_reason;
std::string _printPortRangeOp(int rs, int re);
std::string getTcpFlagName(const libfwbuilder::TCPService::TCPFlag f);
std::string _printSrcService(libfwbuilder::Service *srv);
std::string _printDstService(libfwbuilder::Service *srv);
std::string _printAddr(libfwbuilder::Address *o);
std::string _printProtocol(libfwbuilder::Service *srv);
std::string _printTCPFlags(libfwbuilder::TCPService *srv);
std::string _printAction(libfwbuilder::PolicyRule *r);
std::string _printACL(libfwbuilder::PolicyRule *r);
std::string _printLog(libfwbuilder::PolicyRule *r);
std::string _printIPServiceOptions(libfwbuilder::PolicyRule *r);
std::string _printRule(libfwbuilder::PolicyRule *rule);
public:
PrintRule(const std::string &name) : PolicyRuleProcessor(name)
{
aclLineCounter=0;
termNumber=0;
reject_icmp_reason.insert(std::pair<std::string,std::string>("ICMP admin prohibited", "administratively-prohibited"));
reject_icmp_reason.insert(std::pair<std::string,std::string>("ICMP host prohibited", "host-prohibited"));
reject_icmp_reason.insert(std::pair<std::string,std::string>("ICMP host unreachable", "host-unreachable"));
reject_icmp_reason.insert(std::pair<std::string,std::string>("ICMP net prohibited", "network-prohibited"));
reject_icmp_reason.insert(std::pair<std::string,std::string>("ICMP net unreachable", "network-unreachable"));
reject_icmp_reason.insert(std::pair<std::string,std::string>("ICMP port unreachable", "port-unreachable"));
reject_icmp_reason.insert(std::pair<std::string,std::string>("ICMP protocol unreachable", "protocol-unreachable"));
reject_icmp_reason.insert(std::pair<std::string,std::string>("TCP RST", "tcp-reset"));
}
virtual bool processNext();
};
friend class PolicyCompiler_junosacl::PrintRule;
/**
* this processor accumulates all rules fed to it by previous
* * processors, prints commands to clear access-lists, then
* generates commands for the new ACLs.
*
*/
class PrintCompleteACLs : public PrintRule
{
public:
PrintCompleteACLs(const std::string &n) : PrintRule(n) {}
virtual bool processNext();
struct printRulesForACL : public std::unary_function<libfwbuilder::Rule*, void>
{
ciscoACL *acl;
std::stringstream *output;
PolicyCompiler_junosacl *iosacl_comp;
PolicyCompiler_junosacl::PrintCompleteACLs *print_acl_p;
printRulesForACL(PolicyCompiler_junosacl *_comp,
PolicyCompiler_junosacl::PrintCompleteACLs *pp,
ciscoACL* _acl,
std::stringstream *_out)
{ iosacl_comp = _comp; print_acl_p = pp; acl = _acl; output = _out; }
// print rule if it belongs to ACL <acl>
void operator() (libfwbuilder::Rule* x);
};
friend struct PrintCompleteACLs::printRulesForACL;
};
friend class PolicyCompiler_junosacl::PrintCompleteACLs;;
bool resetinbound;
bool fragguard;
int termNumber;
protected:
virtual std::string myPlatformName();
virtual std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false);
public:
PolicyCompiler_junosacl(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf);
virtual ~PolicyCompiler_junosacl() {}
virtual int prolog();
virtual void compile();
virtual void epilog();
virtual std::string printClearCommands();
static std::string getAccessGroupCommandForAddressFamily(bool ipv6);
};
}
#endif

758
src/juniper_lib/PolicyCompiler_junosacl_writers.cpp Normal file
View File

@@ -0,0 +1,758 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "PolicyCompiler_junosacl.h"
#include "cisco_lib/IOSObjectGroup.h"
// #include "NamedObjectsAndGroupsSupport.h"
#include "cisco_lib/PortRangeConverter.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/ICMP6Service.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/XMLTools.h"
#include <iostream>
#include <iomanip>
#include <fstream>
#include <sstream>
#include <algorithm>
#include <functional>
#include <assert.h>
#include <QStringList>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
bool PolicyCompiler_junosacl::ClearACLs::processNext()
{
PolicyCompiler_junosacl *junosacl_comp=dynamic_cast<PolicyCompiler_junosacl*>(compiler);
string vers = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/iosacl_commands/clear_acl");
slurp();
if (tmp_queue.size()==0) return false;
if ( compiler->fw->getOptionsObject()->getBool("iosacl_acl_basic") )
{
compiler->output << clearACLcmd << endl;
}
if (compiler->fw->getOptionsObject()->getBool("iosacl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=junosacl_comp->acls.begin();
i!=junosacl_comp->acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
compiler->output << clearACLcmd << " " << acl->workName() << endl;
}
compiler->output << endl;
}
if ( !compiler->fw->getOptionsObject()->getBool("iosacl_acl_no_clear") )
{
string clearICMPcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/iosacl_commands/clear_icmp");
string clearTelnetcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/iosacl_commands/clear_telnet");
string clearSSHcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/iosacl_commands/clear_ssh");
//compiler->output << clearICMPcmd << endl;
//compiler->output << clearTelnetcmd << endl;
//compiler->output << clearSSHcmd << endl;
}
return true;
}
void PolicyCompiler_junosacl::PrintCompleteACLs::printRulesForACL::operator()(
Rule* rule)
{
// print rule if it belongs to ACL <acl>
PolicyRule *prule = PolicyRule::cast(rule);
string acl_name = prule->getStr("acl");
assert (acl_name!="");
ciscoACL *rule_acl = iosacl_comp->acls[acl_name];
assert(rule_acl!=NULL);
if (acl == rule_acl)
{
*output << print_acl_p->_printRule(prule);
}
}
bool PolicyCompiler_junosacl::PrintCompleteACLs::processNext()
{
PolicyCompiler_junosacl *junosacl_comp=dynamic_cast<PolicyCompiler_junosacl*>(compiler);
slurp();
if (tmp_queue.size()==0) return false;
string addr_family_prefix = "family inet {\n";
if (junosacl_comp->ipv6) addr_family_prefix = "family inet6 {\n";
for (map<string,ciscoACL*>::iterator i=junosacl_comp->acls.begin();
i!=junosacl_comp->acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
compiler->output << "firewall {\n" << " " << addr_family_prefix
<< " " << "replace:\n"
<< " " << "filter ";
string filter_prefix = compiler->fw->getOptionsObject()->getStr("filter_prefix");
if (filter_prefix.empty()) filter_prefix = "fwbfilter";
filter_prefix += "_";
compiler->output<< filter_prefix << acl->workName() << " {\n";
std::for_each(tmp_queue.begin(), tmp_queue.end(),
printRulesForACL(junosacl_comp,
this, acl, &(compiler->output)));
compiler->output << " }\n }\n}" << endl;
}
return true;
}
string PolicyCompiler_junosacl::PrintRule::_printRule(PolicyRule *rule)
{
PolicyCompiler_junosacl *junosacl_comp=dynamic_cast<PolicyCompiler_junosacl*>(compiler);
ostringstream ruleout;
string platform = compiler->fw->getStr("platform");
bool write_comments = compiler->fw->getOptionsObject()->getBool(
platform + "_include_comments");
ruleout << " term " << termNumber++ << " {\n";
if (write_comments)
compiler->output << compiler->printComment(
rule, current_rule_label1, junosacl_comp->comment_symbol);
RuleElementSrc *src=rule->getSrc();
RuleElementDst *dst=rule->getDst();
RuleElementSrv *srv=rule->getSrv();
FWObject *srvobj = srv->front();
bool src_contains_any = false;
bool dst_contains_any = false;
bool srv_contains_any = false;
for (FWObject::iterator i1=src->begin(); i1!=src->end(); i1++) {
if (Address::cast(FWReference::cast(*i1)->getPointer())->isAny()) {
src_contains_any = true;
break;
}
}
for (FWObject::iterator i2=dst->begin(); i2!=dst->end(); i2++) {
if (Address::cast(FWReference::cast(*i2)->getPointer())->isAny()) {
dst_contains_any = true;
break;
}
}
for (FWObject::iterator i3=srv->begin(); i3!=srv->end(); i3++) {
if (Service::cast(FWReference::cast(*i3)->getPointer())->isAny()) {
srv_contains_any = true;
break;
}
}
if (!src_contains_any || !dst_contains_any || !srv_contains_any)
ruleout << " from {\n";
if ((src->size() > 0) && !src_contains_any) {
ruleout << " source-address {\n";
FWObject* o;
for (FWObject::iterator i1=src->begin(); i1!=src->end(); i1++) {
o = FWReference::cast(*i1)->getPointer();
ruleout << " " << _printAddr(Address::cast(o)) << ";\n";
}
ruleout << " }\n"; // source-address {
}
if ((dst->size() > 0) && !dst_contains_any) {
ruleout << " destination-address {\n";
FWObject* o;
for (FWObject::iterator i2=dst->begin(); i2!=dst->end(); i2++) {
o = FWReference::cast(*i2)->getPointer();
ruleout << " " << _printAddr(Address::cast(o)) << ";\n";
}
ruleout << " }\n"; // destination-address {
}
// BEGIN SERVICE
string protocol_command = junosacl_comp->ipv6 ? "next-header " : "protocol ";
if (srv->size() == 1) {
if (FWReference::cast(srvobj)!=NULL)
{
srvobj=FWReference::cast(srvobj)->getPointer();
assert(srvobj);
}
if ( compiler->getFirstSrv(rule) && !compiler->getFirstSrv(rule)->isAny() )
ruleout << " " << protocol_command << _printProtocol(Service::cast(srvobj)) << ";\n";
string serviceStr = _printSrcService( compiler->getFirstSrv(rule) );
if (serviceStr.size())
ruleout << " " << serviceStr << ";\n";
serviceStr = "";
serviceStr = _printDstService( compiler->getFirstSrv(rule) );
if (serviceStr.size())
if (isdigit(serviceStr.at(0)))
ruleout << " destination-port " << serviceStr << ";\n";
else
ruleout << " " << serviceStr << ";\n";
} else {
ruleout << " " << protocol_command << _printProtocol(Service::cast(FWReference::cast(srvobj)->getPointer())) << ";\n";
ruleout << " destination-port [ ";
FWObject* o;
for (FWObject::iterator i3=srv->begin(); i3!=srv->end(); i3++) {
o = FWReference::cast(*i3)->getPointer();
ruleout << _printDstService(TCPUDPService::cast(o)) << " ";
}
ruleout << "];\n";
}
// END SERVICE
if (!src_contains_any || !dst_contains_any || !srv_contains_any)
ruleout << " }\n"; // from {
ruleout << " then {\n";
string counter_name = rule->getOptionsObject()->getStr("counter_name");
if (!counter_name.empty())
ruleout << " count " << counter_name << ";\n";
if (rule->getLogging())
ruleout << " syslog;\n";
ruleout << " " << _printAction(rule) << ";\n";
ruleout << " }\n"; // then {
ruleout << " }\n"; // term x {
//return ruleout.str();
//FWOptions *ruleopt =rule->getOptionsObject();
// ostringstream ruleout;
ostringstream aclstr;
// if (write_comments)
// compiler->output << compiler->printComment(
// rule, current_rule_label1, junosacl_comp->comment_symbol);
/*
* all three rule elements contain exactly one object, which can
* be either group (in case processor CreateObjectGroups created
* object group for it) or a regular object
*/
// RuleElementSrc *src=rule->getSrc();
// RuleElementDst *dst=rule->getDst();
// RuleElementSrv *srv=rule->getSrv();
//assert(src->size()==1);
//assert(dst->size()==1);
//assert(srv->size()==1);
FWObject *srcobj = src->front();
FWObject *dstobj = dst->front();
//FWObject *srvobj = srv->front();
assert(srcobj);
assert(dstobj);
assert(srvobj);
if (FWReference::cast(srcobj)!=NULL)
{
srcobj=FWReference::cast(srcobj)->getPointer();
assert(srcobj);
}
if (FWReference::cast(dstobj)!=NULL)
{
dstobj=FWReference::cast(dstobj)->getPointer();
assert(dstobj);
}
if (FWReference::cast(srvobj)!=NULL)
{
srvobj=FWReference::cast(srvobj)->getPointer();
assert(srvobj);
}
string acl_name=rule->getStr("acl");
assert (acl_name!="");
ciscoACL *acl = junosacl_comp->acls[acl_name];
assert(acl!=NULL);
/*
* Assemble ACL command in aclstr
*/
aclstr << _printAction(rule);
IOSObjectGroup *pgsrc = IOSObjectGroup::cast(srcobj);
IOSObjectGroup *pgdst = IOSObjectGroup::cast(dstobj);
IOSObjectGroup *pgsrv = IOSObjectGroup::cast(srvobj);
/*
* Possible configurations:
*
* permit object-group service_group object-group src_grp object-group dst_grp
* permit object-group service_group SRC_SPEC DST_SPEC
* permit <proto> SRC_SPEC <src_ports> DST_SPEC <dst_ports>
*
* Where SRC_SPEC and DST_SPEC are
* obejct-group network_group
* or traidtional <address> <wildcard_bits>
*
*/
if ( pgsrv!=NULL && pgsrv->isServiceGroup())
{
aclstr << "object-group " << pgsrv->getName();
aclstr << " ";
if ( pgsrc!=NULL && pgsrc->isObjectGroup())
{
aclstr << "object-group " << pgsrc->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstSrc(rule) );
}
if ( pgdst!=NULL && pgdst->isObjectGroup())
{
aclstr << "object-group " << pgdst->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstDst(rule) );
}
} else
{
// Service is not object group
aclstr << _printProtocol(Service::cast(srvobj));
aclstr << _printProtocol(Service::cast(srvobj));
aclstr << " ";
if ( pgsrc!=NULL && pgsrc->isObjectGroup())
{
aclstr << "object-group " << pgsrc->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstSrc(rule) );
}
aclstr << _printSrcService( compiler->getFirstSrv(rule) );
if ( pgdst!=NULL && pgdst->isObjectGroup())
{
aclstr << "object-group " << pgdst->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstDst(rule) );
}
aclstr << _printDstService( compiler->getFirstSrv(rule) );
}
aclstr << _printLog( rule );
// "fragments" should be the last option in the access-list command
aclstr << _printIPServiceOptions(rule);
// Note that option "use_acl_remarks" is set in prolog() because
// we use different options for this function in GUI dialogs for
// iosacl and procurve. This is historical.
if (compiler->fw->getOptionsObject()->getBool("use_acl_remarks"))
{
ruleout << acl->addRemark(rule->getLabel(), rule->getComment());
}
acl->addLine(aclstr.str());
//ruleout << "#" << acl->addLine(aclstr.str());
return ruleout.str();
}
string PolicyCompiler_junosacl::PrintRule::_printAction(PolicyRule *rule)
{
ostringstream str;
switch (rule->getAction()) {
case PolicyRule::Accept: str << "accept"; break;
case PolicyRule::Deny: str << "discard"; break;
case PolicyRule::Reject: str << "reject";
{
FWOptions *ruleopt =rule->getOptionsObject();
string reason = ruleopt->getStr("action_on_reject");
if (!reason.empty())
str << " " << reject_icmp_reason.at(reason);
}
break;
default: str << rule->getActionAsString() << "";
}
return str.str();
}
string PolicyCompiler_junosacl::PrintRule::_printACL(PolicyRule *rule)
{
// PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
string acl_name=rule->getStr("acl");
assert (acl_name!="");
return acl_name+" ";
}
string PolicyCompiler_junosacl::PrintRule::_printLog(PolicyRule *rule)
{
if (rule->getLogging())
{
FWOptions *ruleopt =rule->getOptionsObject();
if (ruleopt->getBool("iosacl_log_input")) return "log-input ";
return "log ";
}
return "";
}
string PolicyCompiler_junosacl::PrintRule::_printPortRangeOp(int rs, int re)
{
std::ostringstream str;
if (rs<0) rs = 0;
if (re<0) re = 0;
if (rs>0 || re>0)
{
if (rs==re) str << rs;
else
{
if (rs==0 && re!=0)
{
str << "1-" << re + 1;
} else
{
if (rs!=0 && re==65535)
{
str << rs << "-65535";
} else
{
str << rs << "-" << re;
}
}
}
}
return str.str();
return PortRangeConverter(rs, re).toString();
}
string PolicyCompiler_junosacl::PrintRule::_printSrcService(Service *srv)
{
if (TCPService::isA(srv) || UDPService::isA(srv))
{
int rs = TCPUDPService::cast(srv)->getSrcRangeStart();
int re = TCPUDPService::cast(srv)->getSrcRangeEnd();
string outstr = _printPortRangeOp(rs, re);
if (outstr.size())
return "source-port: " + outstr;
}
return "";
}
string PolicyCompiler_junosacl::PrintRule::_printIPServiceOptions(PolicyRule *r)
{
Service *srv = compiler->getFirstSrv(r);
const IPService *ip;
if ((ip=IPService::constcast(srv))!=NULL)
{
string version = compiler->fw->getStr("version");
if (srv->getBool("fragm") || srv->getBool("short_fragm"))
return "fragments ";
if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.4")<0)
compiler->abort(r, "IP options match requires IOS v12.4 or later.");
if (ip->getBool("lsrr")) return "option lsr";
if (ip->getBool("ssrr")) return "option ssr";
if (ip->getBool("rr")) return "option record-route";
if (ip->getBool("rtralt")) return "option router-alert";
if (ip->getBool("any_opt")) return "option any-options ";
string tos = ip->getTOSCode();
string dscp = ip->getDSCPCode();
if (!dscp.empty()) return string("dscp ") + dscp;
else
if (!tos.empty()) return string("tos ") + tos;
}
return "";
}
string PolicyCompiler_junosacl::PrintRule::_printDstService(Service *srv)
{
ostringstream str;
if (TCPService::isA(srv) || UDPService::isA(srv))
{
int rs = TCPUDPService::cast(srv)->getDstRangeStart();
int re = TCPUDPService::cast(srv)->getDstRangeEnd();
str << _printPortRangeOp(rs, re);
}
if (TCPService::isA(srv))
{
if (srv->getBool("established")) str << "tcp-established";
else str << _printTCPFlags(TCPService::cast(srv));
}
if ((ICMPService::isA(srv) || ICMP6Service::isA(srv)) &&
srv->getInt("type")!=-1)
{
str << srv->getStr("type") << " ";
}
if (CustomService::isA(srv))
str << CustomService::cast(srv)->getCodeForPlatform(
compiler->myPlatformName() );
return str.str();
}
string PolicyCompiler_junosacl::PrintRule::getTcpFlagName(const TCPService::TCPFlag f)
{
switch (f)
{
case TCPService::URG: return "urg";
case TCPService::ACK: return "ack";
case TCPService::PSH: return "psh";
case TCPService::RST: return "rst";
case TCPService::SYN: return "syn";
case TCPService::FIN: return "fin";
default: return "";
}
return "";
}
string PolicyCompiler_junosacl::PrintRule::_printTCPFlags(TCPService *srv)
{
if (srv->inspectFlags())
{
// We check the version and call compiler->abort() if its
// wrong in SpecialServices rule processor. Here we should just execute.
string version = compiler->fw->getStr("version");
if (XMLTools::version_compare(version, "12.4")>=0)
{
std::set<TCPService::TCPFlag> flags = srv->getAllTCPFlags();
std::set<TCPService::TCPFlag> masks = srv->getAllTCPFlagMasks();
std::set<TCPService::TCPFlag>::iterator mit = masks.begin();
QStringList match_specs;
for (; mit!=masks.end(); mit++)
{
if (flags.count(*mit) > 0)
match_specs.push_back(QString("+%1").arg(getTcpFlagName(*mit).c_str()));
else
match_specs.push_back(QString("-%1").arg(getTcpFlagName(*mit).c_str()));
}
if (!match_specs.empty())
match_specs.push_front("match-all");
return match_specs.join(" ").toStdString() + " ";
}
}
return "";
}
string PolicyCompiler_junosacl::PrintRule::_printProtocol(Service *srv)
{
PolicyCompiler_junosacl *junosacl_comp = dynamic_cast<PolicyCompiler_junosacl*>(
compiler);
string addr_family_prefix = "ip ";
if (junosacl_comp->ipv6) addr_family_prefix = "ipv6 ";
string proto = srv->getProtocolName();
if (ICMP6Service::isA(srv)) proto = "icmp";
if (CustomService::isA(srv))
{
// special case standard CusctomService objects "ESTABLISHED"
// and "ESTABLISHED ipv6": these require protocol "tcp" but
// protocol is set in the Custom Service object for all
// platforms at once, so we can't have protocol defined only
// for junosacl to be used here.
string srv_code = CustomService::cast(srv)->getCodeForPlatform(
compiler->myPlatformName());
if (srv_code == "tcp-established") proto = "tcp";
}
if (proto=="ip") return addr_family_prefix;
return proto;
}
string PolicyCompiler_junosacl::PrintRule::_printAddr(Address *o)
{
PolicyCompiler_junosacl *junosacl_comp = dynamic_cast<PolicyCompiler_junosacl*>(compiler);
if (Interface::cast(o)!=NULL)
{
Interface *interface_ = Interface::cast(o);
if (interface_->isDyn())
{
return string("interface ") + interface_->getLabel() + " ";
}
}
ostringstream str;
const InetAddr *srcaddr = o->getAddressPtr();
if (srcaddr)
{
const InetAddr *nm = o->getNetmaskPtr();
InetAddr srcmask;
if (nm != NULL)
{
srcmask = *nm;
} else
{
cerr << "Address object "
<< o
<< " "
<< o->getName()
<< " (" << o->getTypeName() << ") "
<< " has no netmask"
<< endl;
srcmask = InetAddr(InetAddr::getAllOnes(srcaddr->addressFamily()));
}
// const InetAddr srcmask = *(o->getNetmaskPtr());
if (srcaddr->isAny() && srcmask.isAny())
{
str << "any ";
} else
{
if (Interface::cast(o)==NULL &&
Interface::cast(o->getParent())==NULL &&
o->dimension() > 1 &&
!srcmask.isHostMask())
{
if (junosacl_comp->ipv6)
{
str << srcaddr->toString()
<< "/"
<< srcmask.getLength();
} else
{
str << srcaddr->toString()
<< "/"
<< srcmask.getLength();
}
} else
{
// str << srcaddr->toString() << "/" << srcmask.getLength();
str << srcaddr->toString() << "/" << 32;
}
}
return str.str();
}
ostringstream errstr;
errstr << "Object "
<< o->getName()
<< " (id="
<< o->getId()
<< ") "
<< " has no ip address and can not be used "
<< "in the rule.";
compiler->abort(errstr.str());
return ""; // to make compiler happy
}
/*
* the following additional attributes should have been defined by now:
*
* "acl" - string, name of the access list
* choices are: outside-in, outside-out, inside-in, indside-out,
* dmz-in, dmz-out etc.
* General rule for the acl name: "iface_name-{in,out}"
*/
bool PolicyCompiler_junosacl::PrintRule::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
compiler->output << _printRule(rule);
return true;
}

44
src/juniper_lib/juniper_lib.pro Normal file
View File

@@ -0,0 +1,44 @@
#-*- mode: makefile; tab-width: 4; -*-
#
include(../../qmake.inc)
#
TEMPLATE = lib
#
SOURCES = \
CompilerDriver_junosacl.cpp \
CompilerDriver_junosacl_run.cpp \
OSConfigurator_junos.cpp \
../cisco_lib/PolicyCompiler_cisco.cpp \
../cisco_lib/Helper.cpp \
PolicyCompiler_junosacl.cpp \
PolicyCompiler_junosacl_writers.cpp \
../cisco_lib/NamedObjectsAndGroupsSupport.cpp \
../cisco_lib/NamedObject.cpp \
../cisco_lib/PolicyCompiler_cisco_acls.cpp \
../cisco_lib/BaseObjectGroup.cpp \
../cisco_lib/IOSObjectGroup.cpp \
../cisco_lib/NamedObjectsManager.cpp \
../cisco_lib/ACL.cpp \
../cisco_lib/NXOSObjectGroup.cpp \
../cisco_lib/PIXObjectGroup.cpp \
../cisco_lib/ASA8ObjectGroup.cpp
HEADERS = ../../config.h \
CompilerDriver_junosacl.h \
OSConfigurator_junos.h \
PolicyCompiler_junosacl.h \
../cisco_lib/BaseObjectGroup.h
macx:LIBS += $$LIBS_FWCOMPILER
INCLUDEPATH += ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../compiler_lib ../libfwbuilder/src
win32:PRE_TARGETDEPS = ../compiler_lib/release/libcompilerdriver.a
!win32:PRE_TARGETDEPS = ../compiler_lib/libcompilerdriver.a
CONFIG += staticlib
TARGET = fwbjuniper
INSTALLS -= target

193
src/junosacl/junosacl.cpp Normal file
View File

@@ -0,0 +1,193 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include <fstream>
#include <iostream>
#include <sstream>
#include <map>
#include <algorithm>
#include <functional>
#ifdef _WIN32
# include <direct.h>
#else
# include <unistd.h>
#endif
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <ctype.h>
#include <assert.h>
#include <cstring>
#include "CompilerDriver_junosacl.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Tools.h"
#include "fwbuilder/Constants.h"
#include <QCoreApplication>
#include <QStringList>
#include <QTextCodec>
#include "../common/init.cpp"
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
FWObjectDatabase *objdb = NULL;
class UpgradePredicate: public XMLTools::UpgradePredicate
{
public:
virtual bool operator()(const string &msg) const
{
msg.size(); // to make compiler happy about unused parameter
cout << "Data file has been created in the old version of Firewall Builder.\nLoad it in the GUI to convert it to the new version." << endl;
return false;
}
};
void usage(const char *name)
{
cout << "Firewall Builder: policy compiler for Juniper Junos ACL" << endl;
cout << "Copyright 2007-2009 NetCitadel, LLC" << endl;
cout << "Version " << VERSION << endl;
cout << "Usage: " << name << " [-tvV] [-f filename.xml] [-d destdir] [-o output.fw] firewall_object_name" << endl;
}
int main(int argc, char **argv)
{
QCoreApplication app(argc, argv, false);
// compilers always write file names into manifest in Utf8
#if QT_VERSION < QT_VERSION_CHECK(5, 0, 0)
QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8"));
#endif
QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8"));
QStringList args = app.arguments();
if (args.size()<=1)
{
usage(argv[0]);
exit(1);
}
QString last_arg;
string filename;
for (int idx=0; idx < args.size(); idx++)
{
QString arg = args.at(idx);
last_arg = arg;
if (arg == "-V")
{
usage(argv[0]);
exit(0);
}
if (arg == "-f")
{
idx++;
filename = string(args.at(idx).toLatin1().constData());
continue;
}
}
if (filename.empty())
{
usage(argv[0]);
exit(1);
}
init(argv);
try
{
new Resources(Constants::getResourcesFilePath());
/* create database */
objdb = new FWObjectDatabase();
/* load the data file */
UpgradePredicate upgrade_predicate;
cout << " *** Loading data ...";
objdb->setReadOnly( false );
objdb->load( filename, &upgrade_predicate, Constants::getDTDDirectory());
objdb->setFileName(filename);
objdb->reIndex();
cout << " done\n";
FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_junosacl *driver = new CompilerDriver_junosacl(objdb);
if (!driver->prepare(args))
{
usage(argv[0]);
exit(1);
}
driver->compile();
//int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
int ret = driver->getStatus();
delete driver;
delete objdb;
return ret;
} catch(libfwbuilder::FWException &ex)
{
cerr << ex.toString() << endl;
return 1;
} catch (std::string s)
{
cerr << s << endl;
return 1;
} catch (std::exception ex)
{
cerr << "exception: " << ex.what() << endl;
return 1;
} catch (...)
{
cerr << "Unsupported exception";
return 1;
}
return 0;
}

34
src/junosacl/junosacl.pro Normal file
View File

@@ -0,0 +1,34 @@
#-*- mode: makefile; tab-width: 4; -*-
#
include(../../qmake.inc)
QT -= gui
#
#
# PACKAGE = fwbuilder-junosacl-$$FWB_VERSION
#
# QMAKE_CXXFLAGS_DEBUG += -DPACKAGE="\"$$PACKAGE\""
# QMAKE_CXXFLAGS_RELEASE += -DPACKAGE="\"$$PACKAGE\""
greaterThan(QT_MAJOR_VERSION, 4): QT += widgets
SOURCES = junosacl.cpp
HEADERS = ../../config.h
!win32 {
QMAKE_COPY = ../../install.sh -m 0755 -s
}
win32:CONFIG += console
INCLUDEPATH += ../juniper_lib ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../juniper_lib ../compiler_lib ../libfwbuilder/src
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../juniper_lib/$$BINARY_SUBDIR/libfwbjuniper.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
LIBS += $$PRE_TARGETDEPS $$LIBS
TARGET = fwb_junosacl

37
src/libfwbuilder/migration/FWObjectDatabase_23.xslt Normal file
View File

@@ -0,0 +1,37 @@
<!--
Filename: FWObjectDatabase_23.xslt
Author: Sirius Bakke
Build date: 2014-09-24
Last changed: 2014-09-24
Version: 1.0.0
Description: translates fwbuilder object database from v23 to 24
-->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:fwb="http://www.fwbuilder.org/1.0/"
exclude-result-prefixes="fwb">
<xsl:output method="xml" version="1.0"
doctype-system="fwbuilder.dtd" indent="yes" encoding="utf-8"/>
<xsl:template match="*" mode="copy">
<xsl:copy>
<xsl:copy-of select="@*"/>
<xsl:apply-templates mode="copy"/>
</xsl:copy>
</xsl:template>
<xsl:template match="*[attribute::id='root']">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/">
<xsl:attribute name="version">24</xsl:attribute>
<xsl:attribute name="lastModified"><xsl:value-of select="@lastModified"/></xsl:attribute>
<xsl:attribute name="id">root</xsl:attribute>
<xsl:apply-templates select="*" mode="copy"/>
</FWObjectDatabase>
</xsl:template>
</xsl:stylesheet>

1
src/libfwbuilder/migration/migration.pro
View File

@@ -96,5 +96,6 @@ target.files = FWObjectDatabase_0.9.0.xslt \
FWObjectDatabase_20.xslt \
FWObjectDatabase_21.xslt \
FWObjectDatabase_22.xslt \
FWObjectDatabase_23.xslt \

2
src/libgui/CompilerDriverFactory.cpp
View File

@@ -37,6 +37,7 @@
#include "CompilerDriver_pix.h"
#include "CompilerDriver_procurve_acl.h"
#include "CompilerDriver_nxosacl.h"
#include "../juniper_lib/CompilerDriver_junosacl.h"
#include <string>
@@ -54,6 +55,7 @@ CompilerDriver* CompilerDriverFactory::createCompilerDriver(Firewall *fw)
if (platform == "ipfw") return new CompilerDriver_ipfw(fw->getRoot());
if (platform == "iosacl") return new CompilerDriver_iosacl(fw->getRoot());
if (platform == "nxosacl") return new CompilerDriver_nxosacl(fw->getRoot());
if (platform == "junosacl") return new CompilerDriver_junosacl(fw->getRoot());
if (platform == "pix" || platform == "fwsm")
return new CompilerDriver_pix(fw->getRoot());
if (platform == "procurve_acl")

4
src/libgui/DialogFactory.cpp
View File

@@ -64,6 +64,7 @@
#include "ipfwAdvancedDialog.h"
#include "pfAdvancedDialog.h"
#include "pixAdvancedDialog.h"
#include "junosaclAdvancedDialog.h"
#include "nxosaclAdvancedDialog.h"
#include "iosaclAdvancedDialog.h"
#include "ipcopAdvancedDialog.h"
@@ -85,6 +86,7 @@
#include "solarisAdvancedDialog.h"
#include "macosxAdvancedDialog.h"
#include "pixosAdvancedDialog.h"
#include "junosAdvancedDialog.h"
#include "nxosAdvancedDialog.h"
#include "iosAdvancedDialog.h"
#include "ipcoposAdvancedDialog.h"
@@ -245,6 +247,7 @@ QWidget *DialogFactory::createFWDialog(QWidget *parent, FWObject *o)
if (platform == "iptables" && os_family == "secuwall")
dlgname = "secuwall";
if (dlgname=="junosacl") return new junosaclAdvancedDialog(parent,o);
if (dlgname=="nxosacl") return new nxosaclAdvancedDialog(parent,o);
if (dlgname=="iosacl") return new iosaclAdvancedDialog(parent,o);
if (dlgname=="ipcop") return new ipcopAdvancedDialog(parent,o);
@@ -284,6 +287,7 @@ QWidget *DialogFactory::createOSDialog(QWidget *parent,FWObject *o)
if (dlgname=="solaris") return new solarisAdvancedDialog(parent, o);
if (dlgname=="macosx") return new macosxAdvancedDialog(parent, o);
if (dlgname=="pix_os") return new pixosAdvancedDialog(parent, o);
if (dlgname=="junos") return new junosAdvancedDialog(parent, o);
if (dlgname=="nxos") return new nxosAdvancedDialog(parent, o);
if (dlgname=="ios") return new iosAdvancedDialog(parent, o);
if (dlgname=="ipcop") return new ipcoposAdvancedDialog(parent, o);

72
src/libgui/FWCmdMoveObject.cpp
View File

@@ -93,6 +93,11 @@ FWCmdMoveObject::~FWCmdMoveObject()
void FWCmdMoveObject::undo()
{
FWObject *dummySource = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_ADDRESS_ID);
FWObject *dummyDestination = dummySource;
FWObject *dummyService = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_SERVICE_ID);
FWObject *dummyInterface = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_INTERFACE_ID);
obj->setStr("folder", oldUserFolder.toUtf8().constData());
if (new_parent->hasChild(obj) && !old_parent->hasChild(obj))
{
@@ -112,6 +117,25 @@ void FWCmdMoveObject::undo()
foreach(FWObject *o, it->second)
{
FWObject *cobj = project->db()->findInIndex(obj_id);
if (RuleElement::cast(o)) {
setDiffType(Rule::cast(o->getParent()), DiffType::Edit);
if ( (o->getChildrenCount() == 1)) {
if (RuleElementSrc::cast(o) && st->getInt("Objects/PolicyRule/defaultSource")) {
o->removeRef(dummySource);
} else if (RuleElementDst::cast(o) && st->getInt("Objects/PolicyRule/defaultDestination")) {
o->removeRef(dummyDestination);
} else if (RuleElementSrv::cast(o) && st->getInt("Objects/PolicyRule/defaultService")) {
o->removeRef(dummyService);
} else if (RuleElementItf::cast(o) && st->getInt("Objects/PolicyRule/defaultInterface")) {
o->removeRef(dummyInterface);
}
}
}
if (cobj) o->addRef(cobj);
if (RuleElement::cast(o))
resetDiffType(Rule::cast(o->getParent()));
@@ -137,6 +161,11 @@ void FWCmdMoveObject::redo()
<< obj->getRefCounter();
if (reference_holders.size())
{
FWObject *dummySource = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_ADDRESS_ID);
FWObject *dummyDestination = dummySource;
FWObject *dummyService = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_SERVICE_ID);
FWObject *dummyInterface = new_parent->getRoot()->findInIndex(FWObjectDatabase::DUMMY_INTERFACE_ID);
map<int, set<FWObject*> >::iterator it;
for (it=reference_holders.begin(); it!=reference_holders.end(); ++it)
{
@@ -145,8 +174,49 @@ void FWCmdMoveObject::redo()
{
FWObject *cobj = project->db()->findInIndex(obj_id);
if (cobj) o->removeRef(cobj);
if (RuleElement::cast(o))
if (RuleElement::cast(o)) {
setDiffType(Rule::cast(o->getParent()), DiffType::Edit);
if ( (o->getChildrenCount() == 1)) {
FWObject *anyobj = FWObjectReference::getObject(*o->begin());
if (RuleElementSrc::cast(o) && st->getInt("Objects/PolicyRule/defaultSource")) {
if (!Address::cast(anyobj)->isAny())
continue;
if (!dummySource || (new_parent->getRoot()->getStringId(dummySource->getId()) != "dummyaddressid0"))
continue;
o->addRef(dummySource);
} else if (RuleElementDst::cast(o) && st->getInt("Objects/PolicyRule/defaultDestination")) {
if (!Address::cast(anyobj)->isAny())
continue;
if (!dummyDestination || (new_parent->getRoot()->getStringId(dummyDestination->getId()) != "dummyaddressid0"))
continue;
o->addRef(dummyDestination);
} else if (RuleElementSrv::cast(o) && st->getInt("Objects/PolicyRule/defaultService")) {
if (!Service::cast(anyobj)->isAny())
continue;
if (!dummyService || (new_parent->getRoot()->getStringId(dummyService->getId()) != "dummyserviceid0"))
continue;
o->addRef(dummyService);
} else if (RuleElementItf::cast(o) && st->getInt("Objects/PolicyRule/defaultInterface")) {
if (!Address::cast(anyobj)->isAny())
continue;
if (!dummyInterface || (new_parent->getRoot()->getStringId(dummyInterface->getId()) != "dummyinterfaceid0"))
continue;
o->addRef(dummyInterface);
}
}
}
}
}
}

271
src/libgui/FirewallInstallerJuniper.cpp Normal file
View File

@@ -0,0 +1,271 @@
/*
Firewall Builder
Copyright (C) 2008 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "global.h"
#include "utils.h"
#include "utils_no_qt.h"
#include "FirewallInstallerJuniper.h"
#include "instDialog.h"
#include "SSHJUNOS.h"
#include "Configlet.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/XMLTools.h"
#include <QFileInfo>
#include <QTextStream>
#include <QMessageBox>
#include <QtDebug>
using namespace std;
using namespace libfwbuilder;
FirewallInstallerJuniper::FirewallInstallerJuniper(instDialog *_dlg,
instConf *_cnf, const QString &_p):
FirewallInstaller(_dlg, _cnf, _p)
{
// string platform = cnf->fwobj->getStr("platform");
// if (cnf->fwdir.isEmpty())
// {
// if (platform=="nxosacl") cnf->fwdir = "volatile:";
// else cnf->fwdir = "flash:";
// }
}
bool FirewallInstallerJuniper::packInstallJobsList(Firewall*)
{
if (fwbdebug)
qDebug("FirewallInstallerJuniper::packInstallJobList script=%s",
#if QT_VERSION < QT_VERSION_CHECK(5, 0, 0)
cnf->script.toAscii().constData());
#else
cnf->script.toLatin1().constData());
#endif
job_list.clear();
Management *mgmt = cnf->fwobj->getManagementObject();
assert(mgmt!=NULL);
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
if (pis->getCommand()!="")
{
QString cmd = pis->getCommand().c_str();
QString args = pis->getArguments().c_str();
job_list.push_back(
instJob(RUN_EXTERNAL_SCRIPT, cmd, args));
inst_dlg->addToLog(QString("Run script %1 %2\n").arg(cmd).arg(args));
return true;
}
// Load configuration file early so we can abort installation if
// it is not accessible
// Note about option "install only acl, icmp, telnet, ssh, nat,
// global and static" for PIX. This option used to read generated
// config but cuts off everything before the magic comment line
// "!################". This way, it only read object-group,
// access-list, access-group, nat, static and global commands. It
// skipped all interface configurations, timeouts and inspector
// commands. It is difficult to implement now that we (can) use
// scp to copy configuration to the firewall. We would have to
// create temporary file with modified configuration in order to
// do this. To avoid hassles with temporary files, we move the
// same function to the compiler. The checkbox moves to the
// "script" tab of the pix advanced settings dialog and when it is on,
// compiler generates the script with only acl, icmp, telnet, ssh
// nat,static and global commands
//
// This mode of installation is not supported on IOS at all.
QString ff;
QFileInfo script_info(cnf->script);
if (script_info.isAbsolute()) ff = cnf->script;
else ff = cnf->wdir + "/" + cnf->script;
QFile data(ff);
if (data.open(QFile::ReadOnly))
{
QTextStream strm(&data);
QString line;
do
{
line = strm.readLine();
config_lines.push_back(line.trimmed());
} while (!strm.atEnd());
} else
{
QMessageBox::critical(
inst_dlg, "Firewall Builder",
tr("Can not read generated script %1").arg(ff),
tr("&Continue"), QString::null,QString::null,
0, 1 );
return false;
}
string platform = cnf->fwobj->getStr("platform");
// Currently we only support scp for Junos
cnf->useSCPForRouter = true;
if (cnf->useSCPForRouter)
{
QMap<QString,QString> all_files;
// readManifest() modifies cnf (assigns cnf->remote_script) !
if (readManifest(cnf->script, &all_files))
{
QMap<QString, QString>::iterator it;
for (it=all_files.begin(); it!=all_files.end(); ++it)
{
QString local_name = it.key();
QString remote_name = it.value();
job_list.push_back(instJob(COPY_FILE, local_name, remote_name));
}
}
QString cmd = getActivationCmd();
job_list.push_back(instJob(ACTIVATE_POLICY, cmd, ""));
} else
{
job_list.push_back(instJob(ACTIVATE_POLICY, cnf->script, ""));
}
return true;
}
void FirewallInstallerJuniper::activatePolicy(const QString&, const QString&)
{
QStringList args;
packSSHArgs(args);
if (cnf->verbose) inst_dlg->displayCommand(args);
SSHJunos *ssh_object = new SSHJunos(inst_dlg,
cnf->fwobj->getName().c_str(),
args,
cnf->pwd,
cnf->epwd,
list<string>());
/*
* TODO:
* the structure of scriptlets (command templates) for PIX and
* IOS is nice and generic, it uses generalized "pre_config"
* and "post_config" hooks in SSHPIX / SSHIOS classes. Need to
* do the same for Unix firewalls.
*/
QString cmd = "";
QStringList pre_config_commands;
QStringList post_config_commands;
string host_os = cnf->fwobj->getStr("host_OS");
string os_family = Resources::os_res[host_os]->
getResourceStr("/FWBuilderResources/Target/family");
// installer configlets should be different for each OS, but if
// some OS can use the same script, it will be placed in the file
// under os_family name. For example:
// for PIX configlet is in src/res/configlets/pix_os
// but since fwsm and pix can use the same script and fwsm_os.xml
// declares family as "pix_os", it uses the same configlet.
Configlet pre_config(host_os, os_family, "installer_commands_pre_config");
replaceMacrosInCommand(&pre_config);
Configlet post_config(host_os, os_family, "installer_commands_post_config");
post_config.removeComments();
post_config.setVariable("test", false);
post_config.setVariable("run", true);
post_config.setVariable("schedule_rollback", false);
post_config.setVariable("cancel_rollback", false);
replaceMacrosInCommand(&post_config);
ssh_object->loadPreConfigCommands(
pre_config.expand().split("\n", QString::SkipEmptyParts) );
ssh_object->loadPostConfigCommands(
post_config.expand().split("\n", QString::SkipEmptyParts) );
Configlet activation(host_os, os_family, "installer_commands_reg_user");
activation.removeComments();
replaceMacrosInCommand(&activation);
activation.setVariable("using_scp", cnf->useSCPForRouter);
activation.setVariable("not_using_scp", ! cnf->useSCPForRouter);
if ( ! cnf->useSCPForRouter)
{
activation.setVariable("fwbuilder_generated_configuration_lines",
config_lines.join("\n"));
}
ssh_object->loadActivationCommands(
activation.expand().split("\n", QString::SkipEmptyParts) );
runSSHSession(ssh_object);
return;
}
bool FirewallInstallerJuniper::readManifest(const QString &script,
QMap<QString, QString> *all_files)
{
if (fwbdebug)
qDebug("FirewallInstaller::readManifest");
QString dest_dir = getDestinationDir(cnf->fwdir);
// path returned by getDestinationDir always ends with separator
// in case of IOS, it is ":"
QFileInfo file_base(script);
QString remote_file = dest_dir + file_base.fileName();
qDebug() << "001 REMOTE FILE:" << remote_file;
QString local_name = script;
cnf->remote_script = remote_file;
(*all_files)[local_name] = remote_file;
return true;
}
QString FirewallInstallerJuniper::getDestinationDir(const QString &fwdir)
{
if (fwbdebug)
qDebug() << "FirewallInstallerCisco::getDestinationDir: "
<< "fwdir=" << fwdir;
QString dir = fwdir;
if (!dir.endsWith("/")) return dir + "/";
return dir;
}

67
src/libgui/FirewallInstallerJuniper.h Normal file
View File

@@ -0,0 +1,67 @@
/*
Firewall Builder
Copyright (C) 2008 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __FIREWALLINSTALLERJUNIPER_H_
#define __FIREWALLINSTALLERJUNIPER_H_
#include "config.h"
#include "FirewallInstaller.h"
#include <qstring.h>
#include <qstringlist.h>
#include <qprocess.h>
#include <qobject.h>
#include <QStringList>
namespace libfwbuilder
{
class Firewall;
}
class FirewallInstallerJuniper : public FirewallInstaller
{
Q_OBJECT;
protected:
QStringList config_lines;
virtual QString getDestinationDir(const QString &dir);
virtual bool readManifest(const QString &conffie,
QMap<QString, QString> *all_files);
public:
FirewallInstallerJuniper(instDialog *_dlg, instConf *_cnf, const QString &_p);
virtual bool packInstallJobsList(libfwbuilder::Firewall*);
virtual void activatePolicy(const QString &script, const QString &args);
};
#endif

18
src/libgui/RuleOptionsDialog.cpp
View File

@@ -105,12 +105,13 @@ void RuleOptionsDialog::loadFWObject(FWObject *o)
PolicyRule *policy_rule = PolicyRule::cast(rule);
int wid=0;
if (platform=="iptables") wid=0;
if (platform=="ipf") wid=1;
if (platform=="pf") wid=2;
if (platform=="ipfw") wid=3;
if (platform=="pix" || platform=="fwsm") wid=4;
if (platform=="iosacl" || platform=="procurve_acl") wid=5;
if (platform=="iptables") wid=1;
if (platform=="ipf") wid=2;
if (platform=="pf") wid=3;
if (platform=="ipfw") wid=4;
if (platform=="pix" || platform=="fwsm") wid=5;
if (platform=="iosacl" || platform=="procurve_acl") wid=6;
if (platform=="junosacl") wid=7;
m_dialog->wStack->widget(wid)->raise();
m_dialog->wStack->setCurrentWidget(m_dialog->wStack->widget(wid));
@@ -356,6 +357,11 @@ void RuleOptionsDialog::loadFWObject(FWObject *o)
}
if (platform=="junosacl")
{
data.registerOption(m_dialog->counterLineEdit, ropt, "counter_name");
}
init = true;

3
src/libgui/RuleSetModel.cpp
View File

@@ -1473,6 +1473,9 @@ QStringList PolicyModel::getRuleOptions(Rule* r) const
if (policyRule->getLogging()) res << "Log";
if (!policyRule->getOptionsObject()->getStr("counter_name").empty())
res << "Accounting";
if ( ! isDefaultPolicyRuleOptions(r->getOptionsObject())) res << "Options";
FWObject *firewall = r;

2
src/libgui/RuleSetViewDelegate.cpp
View File

@@ -315,6 +315,8 @@ void RuleSetViewDelegate::paintOptions(
if (icon.contains("Log")) parameter = tr("log");
if (icon.contains("Options")) parameter = tr("(options)");
if (icon.contains("Accounting")) parameter = tr("(counter)");
drawIconAndText(painter,
itemRect.adjusted(
HORIZONTAL_MARGIN, VERTICAL_MARGIN,

432
src/libgui/SSHJUNOS.cpp Normal file
View File

@@ -0,0 +1,432 @@
/*
Firewall Builder
Copyright (C) 2003 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "global.h"
#include "utils.h"
#include "SSHJUNOS.h"
#include <QObject>
#include <QTimer>
#include <QRegExp>
#include <QMessageBox>
#include <QApplication>
#include <QEventLoop>
#include <QFileInfo>
#include <QtDebug>
#include <iostream>
#include <errno.h>
#ifndef errno
extern int errno;
#endif
using namespace std;
SSHJunos::SSHJunos(QWidget *_par,
const QString &_h,
const QStringList &args,
const QString &_p,
const QString &_ep,
const std::list<std::string> &_in) :
SSHSession(_par,_h,args,_p,_ep,_in)
{
normal_prompt="% $"; // shell
fwb_prompt="--**--**--";
enable_prompt="> $"; // operational prompt
config_prompt="# $"; // configuration prompt
pwd_prompt_1="'s password: $";
pwd_prompt_2="Password: ";
epwd_prompt="Password: ";
ssh_pwd_prompt="'s password: ";
ssoft_config_prompt="> ";
putty_pwd_prompt="Password: ";
passphrase_prompt="Enter passphrase for key ";
errorsInit.clear();
errorsInit.push_back("Permission denied");
errorsInit.push_back("Invalid password");
errorsInit.push_back("Access denied");
errorsInit.push_back("Unable to authenticate");
errorsInit.push_back("Too many authentication failures");
errorsLoggedin.clear();
errorsLoggedin.push_back("Invalid password");
errorsLoggedin.push_back("ERROR: ");
errorsLoggedin.push_back("Not enough arguments");
errorsLoggedin.push_back("cannot find");
errorsEnabledState.clear();
errorsEnabledState.push_back("ERROR: ");
errorsEnabledState.push_back("Type help");
errorsEnabledState.push_back("Not enough arguments");
errorsEnabledState.push_back("invalid input detected");
errorsEnabledState.push_back("Invalid");
errorsEnabledState.push_back("cannot find");
errorsEnabledState.push_back("error: configuration database modified");
errorsEnabledState.push_back("error: configuration database locked by:");
errorsConfigState.clear();
errorsConfigState.push_back("error: configuration check-out failed");
}
SSHJunos::~SSHJunos()
{
}
void SSHJunos::loadPreConfigCommands(const QStringList &cl)
{
pre_config_commands = cl;
}
void SSHJunos::loadPostConfigCommands(const QStringList &cl)
{
post_config_commands = cl;
}
void SSHJunos::loadActivationCommands(const QStringList &cl)
{
activation_commands = cl;
foreach(QString line, activation_commands)
{
/*
* store names of access-lists and object-groups
* actually used in the config
*/
if (line.indexOf("access-list ")==0)
newAcls.push_back(line.section(' ',1,1));
if (line.indexOf("object-group ")==0)
newObjectGroups.push_back(line.section(' ',1,1));
}
emit updateProgressBar_sign(activation_commands.size(), true);
}
bool SSHJunos::checkForErrors()
{
QStringList *errptr;
switch(state)
{
case LOGGEDIN:
errptr = &errorsLoggedin;
break;
case ENABLE:
case WAITING_FOR_CONFIG_PROMPT:
errptr = &errorsEnabledState;
break;
case CONFIG:
case PUSHING_CONFIG:
errptr = &errorsConfigState;
break;
default:
errptr = &errorsInit;
break;
}
for (QStringList::const_iterator i=errptr->begin(); i!=errptr->end(); ++i)
{
QString line = *i;
if (stdoutBuffer.lastIndexOf(line, -1) != -1)
{
error = true;
if (fwbdebug)
qDebug() << "Got known error message: " << line;
emit printStdout_sign(tr("\n*** Fatal error :"));
emit printStdout_sign(line + "\n");
stdoutBuffer="";
if (state == CONFIG || state == PUSHING_CONFIG) {
emit printStdout_sign(tr("\n*** Doing a rollback"));
sendCommand("rollback 0");
}
if (state == WAITING_FOR_CONFIG_PROMPT) {
state = EXIT_FROM_CONFIG;
return true;
}
sessionComplete(true); // finish with error status
terminate();
return true;
}
}
return false;
}
void SSHJunos::stateMachine()
{
if (checkForErrors()) return;
if (fwbdebug)
qDebug() << "SSHJunos::stateMachine() state=" << state
<< "(ENABLE=" << ENABLE << ")"
<< "(CONFIG=" << CONFIG << ")"
<< "(PUSHING_CONFIG=" << PUSHING_CONFIG << ")"
<< " stdoutBuffer=" << stdoutBuffer;
switch (state)
{
case NONE:
{
if ( cmpPrompt(stdoutBuffer, QRegExp(pwd_prompt_1)) ||
cmpPrompt(stdoutBuffer, QRegExp(pwd_prompt_2)) )
{
stdoutBuffer="";
#if QT_VERSION < QT_VERSION_CHECK(5, 0, 0)
proc->write( (pwd + "\n").toAscii() );
#else
proc->write( (pwd + "\n").toLatin1() );
#endif
break;
}
/* we may get to LOGGEDIN state directly from NONE, for example when
* password is supplied on command line to plink.exe.
* This only happens with the root user
*/
if (cmpPrompt(stdoutBuffer, QRegExp(normal_prompt)))
{
stdoutBuffer="";
state=LOGGEDIN;
emit printStdout_sign("\n");
emit printStdout_sign( tr("Logged in") + "\n");
emit printStdout_sign( tr("Switching to operational promt...") + "\n");
stdoutBuffer="";
proc->write("cli\n");
}
/* we get straight to operational prompt as a normal user
*/
if (cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)))
{
state = WAITING_FOR_ENABLE;
stateMachine();
break;
}
QString fingerprint;
if (stdoutBuffer.indexOf(newKeyOpenSSH) != -1 ||
stdoutBuffer.indexOf(newKeyPlink) != -1 ||
stdoutBuffer.indexOf(newKeySSHComm) != -1)
{
/* new key */
bool unix_y_n = (stdoutBuffer.indexOf(newKeyOpenSSH) != -1 ||
stdoutBuffer.indexOf(newKeySSHComm) != -1);
if (fwbdebug) qDebug("New host key message detected");
fingerprint = findKeyFingerprint(stdoutBuffer);
QString msg = newKeyMsg.arg(host).arg(fingerprint).arg(host);
stopHeartBeat();
int res = QMessageBox::warning(parent, tr("New RSA key"), msg,
tr("Yes"), tr("No"), 0,
0, -1);
if (fwbdebug)
qDebug("User said: red=%d", res);
startHeartBeat();
stdoutBuffer="";
if (res==0)
{
if (unix_y_n) proc->write("yes\n");
else proc->write("y\n");
break;
} else
{
sessionComplete(true); // finish with error status
return;
}
}
if (stdoutBuffer.indexOf("Terminal type?") != -1)
{
stdoutBuffer="";
proc->write("ansi\n");
return;
}
}
break;
case LOGGEDIN:
if (cmpPrompt(stdoutBuffer, QRegExp(normal_prompt)))
{
stdoutBuffer="";
proc->write("cli\n");
state=WAITING_FOR_ENABLE;
stdoutBuffer="";
break;
}
case WAITING_FOR_ENABLE:
if (cmpPrompt(stdoutBuffer,QRegExp(enable_prompt)))
{
emit printStdout_sign( tr("In operational prompt."));
emit printStdout_sign("\n");
state=ENABLE;
stateMachine();
break;
}
case ENABLE:
if (cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)))
{
if (pre_config_commands.size() > 0)
{
stdoutBuffer="";
QString cmd = pre_config_commands.front();
pre_config_commands.pop_front();
sendCommand(cmd);
break;
}
stdoutBuffer="";
state = WAITING_FOR_CONFIG_PROMPT;
// Trying to get exclusive configuration prompt
proc->write("configure exclusive\n");
// kick it so we get some output from the router and
// continue the state machine
proc->write("\n");
}
break;
case WAITING_FOR_CONFIG_PROMPT:
if (cmpPrompt(stdoutBuffer, QRegExp(config_prompt)))
{
/* install full policy */
state = PUSHING_CONFIG;
if (!dry_run)
emit printStdout_sign(tr("Pushing firewall configuration"));
emit printStdout_sign("\n");
stdoutBuffer="";
proc->write("\n");
ncmd=0;
}
break;
case PUSHING_CONFIG:
if (cmpPrompt(stdoutBuffer, QRegExp(config_prompt)))
{
// see SF bug 2973136 , fwbuilder bug #1347
// looks like if user hits Cancel to cancel install at just right
// moment, the process can get killed when control is already
// inside this block. Adding test for proc != NULL to be sure.
if (activation_commands.size() != 0 && proc != NULL)
{
QString s;
do {
s = activation_commands.front();
activation_commands.pop_front();
emit updateProgressBar_sign(activation_commands.size(), false);
s.replace('\"', '\'');
if (!quiet)
{
QString rl="";
if (s.indexOf(QString("%1 Rule ").arg(comment_symbol)) != -1)
rl = s.mid(7);
if ( !rl.isEmpty())
{
emit printStdout_sign( tr("Rule %1").arg(rl) + "\n");
}
}
} while (stripComments && s[0] == comment_symbol);
sendCommand(s);
} else {
/* activation_commands.size() == 0 */
proc->write("exit\n");
state = EXIT_FROM_CONFIG;
emit printStdout_sign( tr("End") + "\n");
// kick it so we get some output from the router and
// continue the state machine
if (proc) proc->write("\n");
}
}
break;
case EXIT_FROM_CONFIG:
if (cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)))
{
/*
* Execute post_config_commands
*/
if (post_config_commands.size() > 0)
{
stdoutBuffer="";
QString cmd = post_config_commands.front();
post_config_commands.pop_front();
sendCommand(cmd);
break;
}
stdoutBuffer="";
state = EXIT;
proc->write("\n");
}
break;
case EXIT:
if (cmpPrompt(stdoutBuffer, QRegExp(enable_prompt)) ||
cmpPrompt(stdoutBuffer, QRegExp(normal_prompt)) )
{
stdoutBuffer="";
proc->write("exit\n");
if (error) {
sessionComplete(true); // finish with error status
terminate();
}
}
break;
case FINISH:
break;
default:
break;
}
}

87
src/libgui/SSHJUNOS.h Normal file
View File

@@ -0,0 +1,87 @@
/*
Firewall Builder
Copyright (C) 2003 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __SSHJUNOS_H_
#define __SSHJUNOS_H_
#include "config.h"
#include "global.h"
#include "SSHSession.h"
#include <QString>
#include <list>
#include <string>
class QEventLoop;
class SSHJunos : public SSHSession {
Q_OBJECT;
int nLines;
int ncmd;
protected:
QEventLoop *local_event_loop;
QStringList newAcls;
QStringList currentAcls;
QStringList newObjectGroups;
QStringList currentObjectGroups;
QStringList pre_config_commands;
QStringList post_config_commands;
QStringList activation_commands;
QStringList errorsConfigState;
char comment_symbol;
public:
SSHJunos(QWidget *parent,
const QString &host,
const QStringList &args,
const QString &pwd,
const QString &epwd,
const std::list<std::string> &in);
virtual ~SSHJunos();
virtual bool checkForErrors();
virtual void stateMachine();
QString cmd(QProcess *proc, const QString &cmd);
void loadPreConfigCommands(const QStringList &cl);
void loadPostConfigCommands(const QStringList &cl);
void loadActivationCommands(const QStringList &cl);
};
#endif

6
src/libgui/instDialog.cpp
View File

@@ -703,6 +703,12 @@ bool instDialog::isProcurve()
return (platform=="procurve_acl");
}
bool instDialog::isJuniper()
{
string platform = cnf.fwobj->getStr("platform");
return (platform=="junosacl");
}
/*
* "uncheck" checkbox in the "install" column to make sure we do not
* try to install this firewall. Used in instDialog_compile on failure.

1
src/libgui/instDialog.h
View File

@@ -231,6 +231,7 @@ protected:
bool isCiscoFamily();
bool isProcurve();
bool isJuniper();
void interpretLogLine(const QString &buf);

10
src/libgui/instDialog_installer.cpp
View File

@@ -32,6 +32,7 @@
#include "FWBSettings.h"
#include "FWWindow.h"
#include "FirewallInstallerCisco.h"
#include "FirewallInstallerJuniper.h"
#include "FirewallInstallerProcurve.h"
#include "FirewallInstallerUnx.h"
#include "events.h"
@@ -118,13 +119,12 @@ bool instDialog::runInstaller(Firewall *fw, bool installing_many_firewalls)
if (isCiscoFamily())
installer = new FirewallInstallerCisco(this, &cnf, fwb_prompt);
else
{
if (isProcurve())
else if (isProcurve())
installer = new FirewallInstallerProcurve(this, &cnf, fwb_prompt);
else
else if (isJuniper())
installer = new FirewallInstallerJuniper(this, &cnf, fwb_prompt);
else
installer = new FirewallInstallerUnx(this, &cnf, fwb_prompt);
}
if (!installer->packInstallJobsList(fw))
{

5
src/libgui/instOptionsDialog.cpp
View File

@@ -131,6 +131,11 @@ instOptionsDialog::instOptionsDialog(QWidget *parent, instConf *_cnf, bool insta
m_dialog->copyFWB->hide();
m_dialog->PIXgroupBox->hide();
} else if (platform=="junosacl") {
m_dialog->copyFWB->hide();
m_dialog->PIXgroupBox->hide();
m_dialog->epwd->hide();
m_dialog->epwdLbl->hide();
} else
{
m_dialog->epwd->hide();

106
src/libgui/junosAdvancedDialog.cpp Normal file
View File

@@ -0,0 +1,106 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "global.h"
#include "utils.h"
#include "junosAdvancedDialog.h"
#include "FWWindow.h"
#include "FWCmdChange.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Management.h"
#include <memory>
#include <qcheckbox.h>
#include <qspinbox.h>
#include <qcombobox.h>
#include <qradiobutton.h>
#include <qlineedit.h>
#include <qstackedwidget.h>
#include <qregexp.h>
using namespace std;
using namespace libfwbuilder;
junosAdvancedDialog::~junosAdvancedDialog()
{
delete m_dialog;
}
junosAdvancedDialog::junosAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::junosAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
/* Page "General" */
data.registerOption( m_dialog->junos_set_host_name , fwoptions, "junos_set_host_name" );
data.registerOption( m_dialog->junos_ip_address , fwoptions, "junos_ip_address" );
data.loadAll();
m_dialog->tabWidget->setCurrentIndex(0);
}
/*
* store all data in the object
*/
void junosAdvancedDialog::accept()
{
ProjectPanel *project = mw->activeProject();
std::auto_ptr<FWCmdChange> cmd( new FWCmdChange(project, obj));
// new_state is a copy of the fw object
FWObject* new_state = cmd->getNewState();
FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject();
assert(fwoptions!=NULL);
data.saveAll(fwoptions);
if (!cmd->getOldState()->cmp(new_state, true))
project->undoStack->push(cmd.release());
QDialog::accept();
}
void junosAdvancedDialog::reject()
{
QDialog::reject();
}

61
src/libgui/junosAdvancedDialog.h Normal file
View File

@@ -0,0 +1,61 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __JUNOSADVANCEDDIALOG_H_
#define __JUNOSADVANCEDDIALOG_H_
#include <ui_junosadvanceddialog_q.h>
#include "DialogData.h"
namespace libfwbuilder {
class FWObject;
};
class junosAdvancedDialog : public QDialog
{
Q_OBJECT
libfwbuilder::FWObject *obj;
DialogData data;
Ui::junosAdvancedDialog_q*m_dialog;
public:
junosAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o);
~junosAdvancedDialog();
protected slots:
virtual void accept();
virtual void reject();
public slots:
};
#endif // __JUNOSADVANCEDDIALOG_H

376
src/libgui/junosaclAdvancedDialog.cpp Normal file
View File

@@ -0,0 +1,376 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "global.h"
#include "utils.h"
#include "utils_no_qt.h"
#include "junosaclAdvancedDialog.h"
#include "SimpleTextEditor.h"
#include "FWWindow.h"
#include "FWBSettings.h"
#include "FWCmdChange.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/XMLTools.h"
#include <memory>
#include <qcheckbox.h>
#include <qspinbox.h>
#include <qcombobox.h>
#include <qradiobutton.h>
#include <qlineedit.h>
#include <qstackedwidget.h>
#include <qregexp.h>
#include <qtextedit.h>
#include <qtabwidget.h>
#include <qlistwidget.h>
#include <qlabel.h>
#include <qprocess.h>
#include <qfile.h>
#include <iostream>
#include <sstream>
#include <libxml/xmlmemory.h>
using namespace std;
using namespace libfwbuilder;
junosaclAdvancedDialog::~junosaclAdvancedDialog()
{
delete m_dialog;
}
junosaclAdvancedDialog::junosaclAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::junosaclAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
string vers="version_"+obj->getStr("version");
string platform = obj->getStr("platform"); // should be 'junosacl'
QString s;
QStringList logLevels;
QStringList logLevelMapping;
logLevelMapping.push_back("");
logLevelMapping.push_back("");
/* filling pop-down menu and pushing the same strings to the mapping
* list at the same time so we could use translation
*/
s=QObject::tr("0 - System Unusable");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("0");
s=QObject::tr("1 - Take Immediate Action");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("1");
s=QObject::tr("2 - Critical Condition");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("2");
s=QObject::tr("3 - Error Message");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("3");
s=QObject::tr("4 - Warning Message");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("4");
s=QObject::tr("5 - Normal but significant condition");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("5");
s=QObject::tr("6 - Informational");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("6");
s=QObject::tr("7 - Debug Message");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("7");
/* do not need to translate syslog facilities, but will use the same
* method just in case */
QStringList syslogFacilities;
QStringList syslogFacilityMapping;
syslogFacilities.push_back("");
syslogFacilityMapping.push_back("");
syslogFacilityMapping.push_back("");
syslogFacilities.push_back("LOCAL0");
syslogFacilityMapping.push_back("LOCAL0");
syslogFacilityMapping.push_back("16");
syslogFacilities.push_back("LOCAL1");
syslogFacilityMapping.push_back("LOCAL1");
syslogFacilityMapping.push_back("17");
syslogFacilities.push_back("LOCAL2");
syslogFacilityMapping.push_back("LOCAL2");
syslogFacilityMapping.push_back("18");
syslogFacilities.push_back("LOCAL3");
syslogFacilityMapping.push_back("LOCAL3");
syslogFacilityMapping.push_back("19");
syslogFacilities.push_back("LOCAL4");
syslogFacilityMapping.push_back("LOCAL4");
syslogFacilityMapping.push_back("20");
syslogFacilities.push_back("LOCAL5");
syslogFacilityMapping.push_back("LOCAL5");
syslogFacilityMapping.push_back("21");
syslogFacilities.push_back("LOCAL6");
syslogFacilityMapping.push_back("LOCAL6");
syslogFacilityMapping.push_back("22");
syslogFacilities.push_back("LOCAL7");
syslogFacilityMapping.push_back("LOCAL7");
syslogFacilityMapping.push_back("23");
bool f1=fwoptions->getBool("junosacl_acl_basic");
bool f2=fwoptions->getBool("junosacl_acl_no_clear");
bool f3=fwoptions->getBool("junosacl_acl_substitution");
bool f4=fwoptions->getBool("junosacl_add_clear_statements");
/*
* If none of the new junosacl_acl_* options is set and old junosacl_add_clear_statements
* option is true, set junosacl_acl_basic to true.
*
* If old option junosacl_add_clear_statements iss false, set
* junosacl_acl_no_clear to true
*/
if (!f1 && !f2 && !f3)
{
if ( f4 ) fwoptions->setBool("junosacl_acl_basic",true);
else fwoptions->setBool("junosacl_acl_no_clear",true);
}
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
data.registerOption(m_dialog->ipv4before_2, fwoptions,
"ipv4_6_order",
QStringList() << tr("IPv4 before IPv6")
<< "ipv4_first"
<< tr("IPv6 before IPv4")
<< "ipv6_first"
);
/* Page "Compiler Options" */
data.registerOption( m_dialog->outputFileName, fwoptions,
"output_file" );
data.registerOption( m_dialog->filterPrefix, fwoptions,
"filter_prefix");
/*
data.registerOption( m_dialog->junosacl_use_object_groups, fwoptions,
"junosacl_use_object_groups" );
*/
/*
data.registerOption( m_dialog->junosacl_acl_alwaysNew, fwoptions,
"junosacl_acl_always_new" );
*/
data.registerOption( m_dialog->junosacl_include_comments, fwoptions,
"junosacl_include_comments" );
data.registerOption( m_dialog->junosacl_check_shadowing, fwoptions,
"check_shading" );
data.registerOption( m_dialog->junosacl_ignore_empty_groups, fwoptions,
"ignore_empty_groups" );
/* page Installer */
data.registerOption( m_dialog->user, fwoptions, "admUser");
data.registerOption( m_dialog->altAddress, fwoptions, "altAddress");
data.registerOption( m_dialog->sshArgs, fwoptions, "sshArgs");
data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs");
data.registerOption( m_dialog->use_scp, fwoptions, "use_scp");
// data.registerOption( m_dialog->use_junos_session, fwoptions, "use_junos_session" );
data.registerOption( m_dialog->filesystem, fwoptions, "filesystem");
data.registerOption( m_dialog->filesystem, fwoptions, "firewall_dir");
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
m_dialog->installScript->setText(pis->getCommand().c_str() );
m_dialog->installScriptArgs->setText( pis->getArguments().c_str() );
/* page "Prolog/Epilog" */
data.registerOption( m_dialog->junosacl_prolog_script, fwoptions,
"junosacl_prolog_script" );
data.registerOption( m_dialog->junosacl_epilog_script, fwoptions,
"junosacl_epilog_script" );
/* page Logging */
data.registerOption(m_dialog->generate_logging_commands, fwoptions,
"junosacl_generate_logging_commands");
data.registerOption(m_dialog->syslog_host, fwoptions, "junosacl_syslog_host");
m_dialog->syslog_facility->clear();
m_dialog->syslog_facility->addItems( syslogFacilities );
data.registerOption( m_dialog->syslog_facility, fwoptions,
"junosacl_syslog_facility", syslogFacilityMapping);
m_dialog->logging_trap_level->clear();
m_dialog->logging_trap_level->addItems(logLevels);
data.registerOption( m_dialog->logging_trap_level, fwoptions,
"junosacl_logging_trap_level", logLevelMapping);
data.registerOption(m_dialog->logging_timestamp, fwoptions,
"junosacl_logging_timestamp");
data.registerOption(m_dialog->logging_buffered, fwoptions,
"junosacl_logging_buffered");
m_dialog->logging_buffered_level->clear();
m_dialog->logging_buffered_level->addItems(logLevels);
data.registerOption( m_dialog->logging_buffered_level, fwoptions,
"junosacl_logging_buffered_level", logLevelMapping);
data.registerOption(m_dialog->logging_console, fwoptions,
"junosacl_logging_console");
m_dialog->logging_console_level->clear();
m_dialog->logging_console_level->addItems(logLevels);
data.registerOption( m_dialog->logging_console_level,fwoptions,
"junosacl_logging_console_level", logLevelMapping);
data.loadAll();
scriptACLModeChanged();
toggleGenerateLogging();
// Currently Junos only support scp
m_dialog->use_scp->setChecked(true);
m_dialog->use_scp->setEnabled(false);
m_dialog->tabWidget->setCurrentIndex(0);
}
/*
* store all data in the object
*/
void junosaclAdvancedDialog::accept()
{
ProjectPanel *project = mw->activeProject();
std::auto_ptr<FWCmdChange> cmd( new FWCmdChange(project, obj));
// new_state is a copy of the fw object
FWObject* new_state = cmd->getNewState();
FWOptions* options = Firewall::cast(new_state)->getOptionsObject();
assert(options!=NULL);
Management *mgmt = (Firewall::cast(new_state))->getManagementObject();
assert(mgmt!=NULL);
data.saveAll(options);
const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress();
if (mgmt_addr)
mgmt->setAddress(*mgmt_addr);
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
pis->setCommand( m_dialog->installScript->text().toLatin1().constData() );
pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() );
if (!cmd->getOldState()->cmp(new_state, true))
project->undoStack->push(cmd.release());
QDialog::accept();
}
void junosaclAdvancedDialog::reject()
{
QDialog::reject();
}
void junosaclAdvancedDialog::editProlog()
{
SimpleTextEditor edt(this,
m_dialog->junosacl_prolog_script->toPlainText(),
true, tr( "Script Editor" ) );
if ( edt.exec() == QDialog::Accepted )
m_dialog->junosacl_prolog_script->setText( edt.text() );
}
void junosaclAdvancedDialog::editEpilog()
{
SimpleTextEditor edt(this,
m_dialog->junosacl_epilog_script->toPlainText(),
true, tr( "Script Editor" ) );
if ( edt.exec() == QDialog::Accepted )
m_dialog->junosacl_epilog_script->setText( edt.text() );
}
void junosaclAdvancedDialog::scriptACLModeChanged()
{
}
void junosaclAdvancedDialog::toggleGenerateLogging()
{
m_dialog->syslog_controls->setEnabled(
m_dialog->generate_logging_commands->isChecked());
m_dialog->other_logging_controls->setEnabled(
m_dialog->generate_logging_commands->isChecked());
}

72
src/libgui/junosaclAdvancedDialog.h Normal file
View File

@@ -0,0 +1,72 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __JUNOSACLADVANCEDDIALOG_H_
#define __JUNOSACLADVANCEDDIALOG_H_
#include <ui_junosacladvanceddialog_q.h>
#include "DialogData.h"
#include <QDialog>
#include <string>
class QWidget;
class QSpinBox;
class QComboBox;
class QCheckBox;
class QProcess;
namespace libfwbuilder {
class FWObject;
};
class junosaclAdvancedDialog : public QDialog
{
Q_OBJECT
libfwbuilder::FWObject *obj;
DialogData data;
Ui::junosaclAdvancedDialog_q *m_dialog;
public:
junosaclAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o);
~junosaclAdvancedDialog();
protected slots:
virtual void accept();
virtual void reject();
virtual void editProlog();
virtual void editEpilog();
virtual void scriptACLModeChanged();
virtual void toggleGenerateLogging();
};
#endif // __JUNOSACLADVANCEDDIALOG_H

1100
src/libgui/junosacladvanceddialog_q.ui Normal file
View File

@@ -0,0 +1,1100 @@
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>junosaclAdvancedDialog_q</class>
<widget class="QDialog" name="junosaclAdvancedDialog_q">
<property name="windowModality">
<enum>Qt::WindowModal</enum>
</property>
<property name="enabled">
<bool>true</bool>
</property>
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>743</width>
<height>600</height>
</rect>
</property>
<property name="windowTitle">
<string>jun-OS ACL Firewall Settings</string>
</property>
<property name="sizeGripEnabled">
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout_5">
<item row="0" column="0">
<widget class="QTabWidget" name="tabWidget">
<property name="currentIndex">
<number>0</number>
</property>
<widget class="QWidget" name="compiler_tab">
<attribute name="title">
<string>Compiler Options</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_9">
<item row="0" column="0">
<widget class="QLabel" name="textLabel1_5">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Output file name (if left blank, the file name is constructed of the firewall object name and extension &quot;.fw&quot;)</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="outputFileName">
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>32767</width>
<height>22</height>
</size>
</property>
</widget>
</item>
<item row="4" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>170</height>
</size>
</property>
</spacer>
</item>
<item row="3" column="0" colspan="2">
<widget class="QGroupBox" name="frame114">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<string>Policy Compiler Options</string>
</property>
<property name="flat">
<bool>false</bool>
</property>
<property name="checkable">
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout_6">
<item row="0" column="0">
<widget class="QCheckBox" name="junosacl_ignore_empty_groups">
<property name="enabled">
<bool>false</bool>
</property>
<property name="toolTip">
<string>If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works!</string>
</property>
<property name="text">
<string>Ignore empty groups in rules</string>
</property>
<property name="checked">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="junosacl_check_shadowing">
<property name="enabled">
<bool>false</bool>
</property>
<property name="toolTip">
<string>Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule.</string>
</property>
<property name="text">
<string>Detect rule shadowing in the policy</string>
</property>
<property name="checked">
<bool>true</bool>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="2" column="0" colspan="2">
<widget class="QGroupBox" name="groupBox">
<property name="enabled">
<bool>false</bool>
</property>
<property name="title">
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_4">
<property name="verticalSpacing">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QRadioButton" name="separate_acls_for_interfaces">
<property name="toolTip">
<string>Compiler creates multiple access lists from the same policy,
two for each interface: one for inbound and another for
outbound. If the policy is written in a such way that no rule
can possibly be associated with an interface, this interface
gets no access list at all. Also, interfaces marked as
&quot;unprotected&quot; never get access list regardless of how the policy
rules are designed.
</string>
</property>
<property name="text">
<string>Generate separate access list for each interface</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QRadioButton" name="one_acl_for_all_interfaces">
<property name="toolTip">
<string>Compiler creates one access list and assigns it to all
interfaces.
</string>
</property>
<property name="text">
<string>Create one access list and attach it to all interfaces</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="label">
<property name="text">
<string>Filter name prefix (if left blank, prefix is &quot;fwbfilter&quot;)</string>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QLineEdit" name="filterPrefix"/>
</item>
</layout>
</widget>
<widget class="QWidget" name="script_options_tab">
<attribute name="title">
<string>Script Options</string>
</attribute>
<layout class="QGridLayout">
<property name="leftMargin">
<number>20</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>20</number>
</property>
<property name="bottomMargin">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QGroupBox" name="frame170">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Expanding">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_7">
<property name="verticalSpacing">
<number>20</number>
</property>
<item row="1" column="0">
<spacer name="verticalSpacer">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>70</height>
</size>
</property>
</spacer>
</item>
<item row="0" column="0">
<widget class="QCheckBox" name="junosacl_include_comments">
<property name="toolTip">
<string>Insert comments into generated JUNOSACL configuration file</string>
</property>
<property name="text">
<string>Comment the code</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="installer_tab">
<attribute name="title">
<string>Installer</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_8">
<property name="leftMargin">
<number>4</number>
</property>
<property name="topMargin">
<number>4</number>
</property>
<property name="rightMargin">
<number>4</number>
</property>
<property name="bottomMargin">
<number>4</number>
</property>
<item row="2" column="0">
<widget class="QGroupBox" name="groupBox1">
<property name="title">
<string>External install script</string>
</property>
<layout class="QGridLayout" name="gridLayout_2">
<property name="verticalSpacing">
<number>6</number>
</property>
<item row="0" column="0">
<layout class="QHBoxLayout" name="horizontalLayout">
<item>
<widget class="QLabel" name="textLabel5_2">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Policy install script (using built-in installer if this field is blank):</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScript">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
<item row="1" column="0">
<layout class="QHBoxLayout" name="horizontalLayout_2">
<item>
<widget class="QLabel" name="textLabel6_2">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Command line options for the script:</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScriptArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="SCPgroupBox">
<property name="title">
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_3">
<item row="2" column="1">
<spacer name="horizontalSpacer">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>398</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0" colspan="2">
<widget class="QLabel" name="label_3">
<property name="text">
<string>File system on the router where configuration file should be saved if it is copied with scp. Examples: &quot;/tmp&quot;, &quot;/var/tmp&quot;. If this input field is left blank, installer uses &quot;/tmp&quot;.</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="0" colspan="2">
<widget class="QCheckBox" name="use_scp">
<property name="enabled">
<bool>true</bool>
</property>
<property name="text">
<string>Copy generated configuration file to the router using scp</string>
</property>
<property name="checkable">
<bool>true</bool>
</property>
<property name="checked">
<bool>true</bool>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QLineEdit" name="filesystem"/>
</item>
</layout>
</widget>
</item>
<item row="3" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="0" column="0">
<widget class="QGroupBox" name="groupBox2">
<property name="title">
<string>Built-in installer</string>
</property>
<layout class="QGridLayout" name="gridLayout_125">
<item row="0" column="0">
<widget class="QLabel" name="textLabel1_2">
<property name="text">
<string>User name used to authenticate to the firewall (leave this empty if you use putty session):</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="user">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="textLabel1_3">
<property name="text">
<string>Alternative name or address used to communicate with the firewall (also putty session name on Windows)</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QLineEdit" name="altAddress">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2">
<layout class="QHBoxLayout">
<item>
<widget class="QLabel" name="textLabel1_7">
<property name="text">
<string>Additional command line parameters for ssh</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="sshArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
<item row="3" column="0" colspan="2">
<layout class="QHBoxLayout" name="_2">
<item>
<widget class="QLabel" name="textLabel1_8">
<property name="text">
<string>Additional command line parameters for scp</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="scpArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="prolog_epilog_tab">
<attribute name="title">
<string>Prolog/Epilog</string>
</attribute>
<layout class="QGridLayout">
<property name="leftMargin">
<number>20</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>20</number>
</property>
<property name="bottomMargin">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QGroupBox" name="frame146">
<property name="title">
<string/>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>6</number>
</property>
<property name="topMargin">
<number>6</number>
</property>
<property name="rightMargin">
<number>6</number>
</property>
<property name="bottomMargin">
<number>6</number>
</property>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1">
<widget class="QPushButton" name="edit_prolog_button">
<property name="text">
<string>Edit</string>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="textLabel2">
<property name="text">
<string>The following commands will be added verbatim on top of generated configuration</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QTextEdit" name="junosacl_prolog_script"/>
</item>
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="frame147">
<property name="title">
<string/>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>6</number>
</property>
<property name="topMargin">
<number>6</number>
</property>
<property name="rightMargin">
<number>6</number>
</property>
<property name="bottomMargin">
<number>6</number>
</property>
<item row="2" column="1">
<widget class="QPushButton" name="edit_epilog_button">
<property name="text">
<string>Edit</string>
</property>
</widget>
</item>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0" colspan="2">
<widget class="QTextEdit" name="junosacl_epilog_script"/>
</item>
<item row="0" column="0" colspan="2">
<widget class="QLabel" name="textLabel2_2">
<property name="text">
<string>The following commands will be added verbatim after generated configuration</string>
</property>
<property name="textFormat">
<enum>Qt::RichText</enum>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
<property name="margin">
<number>0</number>
</property>
</widget>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="logging_tab">
<attribute name="title">
<string>Logging</string>
</attribute>
<layout class="QGridLayout">
<item row="0" column="0">
<widget class="QCheckBox" name="generate_logging_commands">
<property name="text">
<string>Generate logging commands</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="syslog_controls">
<property name="title">
<string>Syslog</string>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<item row="0" column="1" colspan="2">
<widget class="QLineEdit" name="syslog_host"/>
</item>
<item row="0" column="0">
<widget class="QLabel" name="label599">
<property name="text">
<string>Syslog host (name or IP address):</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QLabel" name="label598">
<property name="text">
<string>syslog facility:</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="3" column="0">
<widget class="QLabel" name="label640">
<property name="text">
<string>syslog level ('logging trap'):</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="1" colspan="2">
<widget class="QComboBox" name="syslog_facility"/>
</item>
<item row="3" column="1" colspan="2">
<widget class="QComboBox" name="logging_trap_level"/>
</item>
<item row="5" column="0" colspan="3">
<widget class="Line" name="hseparator39">
<property name="frameShape">
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="7" column="0" colspan="3">
<widget class="Line" name="hseparator40">
<property name="frameShape">
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="8" column="0" colspan="3">
<widget class="QLabel" name="label641">
<property name="text">
<string>The logging timestamp command requires that the clock command be set.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="9" column="0" colspan="3">
<widget class="QCheckBox" name="logging_timestamp">
<property name="text">
<string>Enable logging timestamps on syslog file</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="2" column="0">
<widget class="QGroupBox" name="other_logging_controls">
<property name="title">
<string>Other logging destinations and levels:</string>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="logging_buffered">
<property name="text">
<string>Internal buffer</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="logging_console">
<property name="text">
<string>Console</string>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QComboBox" name="logging_buffered_level"/>
</item>
<item row="1" column="1">
<widget class="QComboBox" name="logging_console_level"/>
</item>
</layout>
</widget>
</item>
<item row="3" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>675</width>
<height>121</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="ipv6_tab">
<attribute name="title">
<string>IPv6</string>
</attribute>
<layout class="QGridLayout">
<item row="1" column="0">
<widget class="QLabel" name="label_2">
<property name="text">
<string>The order in which ipv4 and ipv6 rules should be generated:</string>
</property>
</widget>
</item>
<item row="1" column="1">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="0">
<widget class="QComboBox" name="ipv4before_2">
<item>
<property name="text">
<string>IPv4 before IPv6</string>
</property>
</item>
<item>
<property name="text">
<string>IPv6 before IPv4</string>
</property>
</item>
</widget>
</item>
<item row="3" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
<item row="1" column="0">
<layout class="QHBoxLayout">
<item>
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item>
<layout class="QHBoxLayout">
<item>
<widget class="QPushButton" name="ok_button">
<property name="text">
<string>OK</string>
</property>
</widget>
</item>
<item>
<widget class="QLabel" name="label583">
<property name="alignment">
<set>Qt::AlignCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="cancel_button">
<property name="text">
<string>Cancel</string>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</item>
</layout>
</widget>
<tabstops>
<tabstop>outputFileName</tabstop>
<tabstop>separate_acls_for_interfaces</tabstop>
<tabstop>one_acl_for_all_interfaces</tabstop>
<tabstop>junosacl_ignore_empty_groups</tabstop>
<tabstop>junosacl_check_shadowing</tabstop>
<tabstop>junosacl_include_comments</tabstop>
<tabstop>user</tabstop>
<tabstop>altAddress</tabstop>
<tabstop>sshArgs</tabstop>
<tabstop>scpArgs</tabstop>
<tabstop>use_scp</tabstop>
<tabstop>filesystem</tabstop>
<tabstop>installScript</tabstop>
<tabstop>installScriptArgs</tabstop>
<tabstop>junosacl_prolog_script</tabstop>
<tabstop>edit_prolog_button</tabstop>
<tabstop>junosacl_epilog_script</tabstop>
<tabstop>edit_epilog_button</tabstop>
<tabstop>generate_logging_commands</tabstop>
<tabstop>syslog_host</tabstop>
<tabstop>syslog_facility</tabstop>
<tabstop>logging_trap_level</tabstop>
<tabstop>logging_timestamp</tabstop>
<tabstop>logging_buffered</tabstop>
<tabstop>logging_console</tabstop>
<tabstop>logging_buffered_level</tabstop>
<tabstop>logging_console_level</tabstop>
<tabstop>ipv4before_2</tabstop>
<tabstop>ok_button</tabstop>
<tabstop>cancel_button</tabstop>
<tabstop>tabWidget</tabstop>
</tabstops>
<resources/>
<connections>
<connection>
<sender>ok_button</sender>
<signal>clicked()</signal>
<receiver>junosaclAdvancedDialog_q</receiver>
<slot>accept()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>cancel_button</sender>
<signal>clicked()</signal>
<receiver>junosaclAdvancedDialog_q</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>edit_prolog_button</sender>
<signal>clicked()</signal>
<receiver>junosaclAdvancedDialog_q</receiver>
<slot>editProlog()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>edit_epilog_button</sender>
<signal>clicked()</signal>
<receiver>junosaclAdvancedDialog_q</receiver>
<slot>editEpilog()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>generate_logging_commands</sender>
<signal>toggled(bool)</signal>
<receiver>junosaclAdvancedDialog_q</receiver>
<slot>toggleGenerateLogging()</slot>
<hints>
<hint type="sourcelabel">
<x>359</x>
<y>55</y>
</hint>
<hint type="destinationlabel">
<x>359</x>
<y>359</y>
</hint>
</hints>
</connection>
</connections>
</ui>

143
src/libgui/junosadvanceddialog_q.ui Normal file
View File

@@ -0,0 +1,143 @@
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>junosAdvancedDialog_q</class>
<widget class="QDialog" name="junosAdvancedDialog_q">
<property name="windowModality">
<enum>Qt::WindowModal</enum>
</property>
<property name="enabled">
<bool>true</bool>
</property>
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>597</width>
<height>188</height>
</rect>
</property>
<property name="windowTitle">
<string>JUNOS Advanced Configuration Options</string>
</property>
<layout class="QGridLayout">
<item row="1" column="0">
<layout class="QHBoxLayout">
<item>
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>151</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item>
<widget class="QPushButton" name="ok_button">
<property name="text">
<string>OK</string>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="cancel_button">
<property name="text">
<string>Cancel</string>
</property>
</widget>
</item>
</layout>
</item>
<item row="0" column="0">
<widget class="QTabWidget" name="tabWidget">
<widget class="QWidget" name="TabPage">
<attribute name="title">
<string>General</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<number>0</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="junos_set_host_name">
<property name="text">
<string>Set router name using object's name</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="junos_ip_address">
<property name="text">
<string>Generate commands to configure addresses for interfaces</string>
</property>
</widget>
</item>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
</layout>
</widget>
<layoutdefault spacing="6" margin="11"/>
<tabstops>
<tabstop>junos_set_host_name</tabstop>
<tabstop>tabWidget</tabstop>
<tabstop>junos_ip_address</tabstop>
<tabstop>ok_button</tabstop>
<tabstop>cancel_button</tabstop>
</tabstops>
<resources/>
<connections>
<connection>
<sender>ok_button</sender>
<signal>clicked()</signal>
<receiver>junosAdvancedDialog_q</receiver>
<slot>accept()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>cancel_button</sender>
<signal>clicked()</signal>
<receiver>junosAdvancedDialog_q</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
</connections>
</ui>

12
src/libgui/libgui.pro
View File

@@ -36,6 +36,7 @@ HEADERS += ../../config.h \
SSHPIX.h \
SSHIOS.h \
SSHNXOS.h \
SSHJUNOS.h \
SSHProcurve.h \
debugDialog.h \
findDialog.h \
@@ -110,6 +111,8 @@ HEADERS += ../../config.h \
iosAdvancedDialog.h \
nxosaclAdvancedDialog.h \
nxosAdvancedDialog.h \
junosaclAdvancedDialog.h \
junosAdvancedDialog.h \
ipcoposAdvancedDialog.h \
linux24AdvancedDialog.h \
linksysAdvancedDialog.h \
@@ -137,6 +140,7 @@ HEADERS += ../../config.h \
instDialog.h \
FirewallInstaller.h \
FirewallInstallerCisco.h \
FirewallInstallerJuniper.h \
FirewallInstallerProcurve.h \
FirewallInstallerUnx.h \
newFirewallDialog.h \
@@ -254,6 +258,7 @@ SOURCES += ProjectPanel.cpp \
SSHPIX.cpp \
SSHIOS.cpp \
SSHNXOS.cpp \
SSHJUNOS.cpp \
SSHProcurve.cpp \
debugDialog.cpp \
findDialog.cpp \
@@ -328,6 +333,8 @@ SOURCES += ProjectPanel.cpp \
iosAdvancedDialog.cpp \
nxosaclAdvancedDialog.cpp \
nxosAdvancedDialog.cpp \
junosaclAdvancedDialog.cpp \
junosAdvancedDialog.cpp \
ipcoposAdvancedDialog.cpp \
linux24AdvancedDialog.cpp \
linksysAdvancedDialog.cpp \
@@ -358,6 +365,7 @@ SOURCES += ProjectPanel.cpp \
instDialog_installer.cpp \
FirewallInstaller.cpp \
FirewallInstallerCisco.cpp \
FirewallInstallerJuniper.cpp \
FirewallInstallerProcurve.cpp \
FirewallInstallerUnx.cpp \
newFirewallDialog.cpp \
@@ -494,6 +502,8 @@ FORMS = FWBMainWindow_q.ui \
iosadvanceddialog_q.ui \
nxosacladvanceddialog_q.ui \
nxosadvanceddialog_q.ui \
junosacladvanceddialog_q.ui \
junosadvanceddialog_q.ui \
procurveacladvanceddialog_q.ui \
simpletexteditor_q.ui \
simpleinteditor_q.ui \
@@ -605,6 +615,7 @@ INCLUDEPATH += \
../iptlib \
../pflib \
../cisco_lib \
../juniper_lib \
../compiler_lib \
../libfwbuilder/src
@@ -613,6 +624,7 @@ DEPENDPATH += \
../iptlib \
../pflib \
../cisco_lib/ \
../juniper_lib \
../compiler_lib \
../libfwbuilder/src

440
src/libgui/ruleoptionsdialog_q.ui
View File

@@ -17,7 +17,16 @@
<property name="spacing">
<number>12</number>
</property>
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<item>
@@ -41,11 +50,84 @@
<number>0</number>
</property>
<property name="currentIndex">
<number>0</number>
<number>7</number>
</property>
<widget class="QWidget" name="blank">
<layout class="QGridLayout">
<property name="leftMargin">
<number>2</number>
</property>
<property name="topMargin">
<number>2</number>
</property>
<property name="rightMargin">
<number>2</number>
</property>
<property name="bottomMargin">
<number>2</number>
</property>
<property name="spacing">
<number>2</number>
</property>
<item row="0" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0">
<widget class="QLabel" name="textLabel1_7">
<property name="text">
<string>There are no options for this firewall platform</string>
</property>
<property name="alignment">
<set>Qt::AlignCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="ipt">
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -70,7 +152,16 @@
<string>General</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_3">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -158,7 +249,16 @@
<string>Logging</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -318,7 +418,16 @@
<string>limit</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_10">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -493,7 +602,16 @@
<string>connlimit</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_9">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -1073,7 +1191,16 @@
<string>Tag</string>
</attribute>
<layout class="QGridLayout" name="gridLayout">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -1159,7 +1286,16 @@
<string>Classify</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_12">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -1214,7 +1350,16 @@
<string>Route</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_21">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -1495,7 +1640,16 @@ p, li { white-space: pre-wrap; }
<string>Logging</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_6">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -1598,7 +1752,16 @@ p, li { white-space: pre-wrap; }
<string>Route</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_18">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -1609,7 +1772,16 @@ p, li { white-space: pre-wrap; }
<property name="spacing">
<number>12</number>
</property>
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<item>
@@ -1701,7 +1873,16 @@ p, li { white-space: pre-wrap; }
</widget>
<widget class="QWidget" name="pf">
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -1900,7 +2081,16 @@ p, li { white-space: pre-wrap; }
<string>Logging</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -1958,7 +2148,16 @@ p, li { white-space: pre-wrap; }
<string>Limits</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -2201,7 +2400,16 @@ p, li { white-space: pre-wrap; }
<string>TCP</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_122">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -2248,7 +2456,16 @@ p, li { white-space: pre-wrap; }
<string>Tag</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_14">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -2321,7 +2538,16 @@ p, li { white-space: pre-wrap; }
<string>Classify</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_15">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -2378,7 +2604,16 @@ p, li { white-space: pre-wrap; }
<property name="spacing">
<number>12</number>
</property>
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<item>
@@ -2458,7 +2693,16 @@ p, li { white-space: pre-wrap; }
<property name="spacing">
<number>12</number>
</property>
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<item>
@@ -2559,7 +2803,16 @@ p, li { white-space: pre-wrap; }
</widget>
<widget class="QWidget" name="ipfw">
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>2</number>
</property>
<property name="topMargin">
<number>2</number>
</property>
<property name="rightMargin">
<number>2</number>
</property>
<property name="bottomMargin">
<number>2</number>
</property>
<property name="spacing">
@@ -2578,7 +2831,16 @@ p, li { white-space: pre-wrap; }
<string>State Tracking</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_4">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -2763,7 +3025,16 @@ p, li { white-space: pre-wrap; }
</widget>
<widget class="QWidget" name="pix">
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>2</number>
</property>
<property name="topMargin">
<number>2</number>
</property>
<property name="rightMargin">
<number>2</number>
</property>
<property name="bottomMargin">
<number>2</number>
</property>
<property name="spacing">
@@ -2778,7 +3049,16 @@ p, li { white-space: pre-wrap; }
<enum>QFrame::Raised</enum>
</property>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
@@ -2966,59 +3246,69 @@ p, li { white-space: pre-wrap; }
</item>
</layout>
</widget>
<widget class="QWidget" name="blank">
<layout class="QGridLayout">
<property name="margin">
<number>2</number>
</property>
<property name="spacing">
<number>2</number>
</property>
<widget class="QWidget" name="junosacl">
<layout class="QGridLayout" name="gridLayout_22">
<item row="0" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
<widget class="QTabWidget" name="tabwJunos">
<property name="tabShape">
<enum>QTabWidget::Triangular</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0">
<widget class="QLabel" name="textLabel1_7">
<property name="text">
<string>There are no options for this firewall platform</string>
</property>
<property name="alignment">
<set>Qt::AlignCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
<property name="currentIndex">
<number>0</number>
</property>
<widget class="QWidget" name="tab_1">
<attribute name="title">
<string>Counting</string>
</attribute>
<layout class="QVBoxLayout" name="verticalLayout">
<item>
<layout class="QHBoxLayout" name="horizontalLayout_6">
<item>
<layout class="QGridLayout" name="gridLayout_23">
<item row="0" column="0">
<widget class="QLabel" name="label_7">
<property name="text">
<string>Counter name:</string>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="counterLineEdit"/>
</item>
</layout>
</item>
<item>
<spacer name="horizontalSpacer_17">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>80</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</item>
<item>
<spacer name="verticalSpacer_8">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>235</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
@@ -3109,9 +3399,7 @@ p, li { white-space: pre-wrap; }
<tabstop>iosacl_add_mirror_rule</tabstop>
<tabstop>tabWidget</tabstop>
</tabstops>
<resources>
<include location="MainRes.qrc"/>
</resources>
<resources/>
<connections>
<connection>
<sender>ipt_connlimit_above_not</sender>

8
src/res/configlets/junos/installer_commands_post_config Normal file
View File

@@ -0,0 +1,8 @@
## -*- mode: shell-script; -*-
##
## Lines that start with "##" will be removed before this code is
## added to the generated script.
##
## These are commands built-in policy installer runs on the firewall
file delete {{$fwdir}}/{{$fwscript}}

23
src/res/configlets/junos/installer_commands_reg_user Normal file
View File

@@ -0,0 +1,23 @@
## -*- mode: shell-script; -*-
##
## Lines that start with "##" will be removed before this code is
## added to the generated script. Regular shell comments can be added
## using single "#", these will appear in the script.
##
##
## These are commands built-in policy installer runs on the firewall if
## installation is performed using regular user account for authentication
##
## Variables:
##
## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in
## {{$fwdir}} -- directory on the firewall ("flash:" or "nvram:" or similar)
## {{$fwscript}} -- script name on the firewall
## {{$rbtimeout}} -- rollback timeout
## {{$rbtimeout_sec}} -- rollback timeout (sec)
##
## {{$firewall_name}} -- the name of the firewall object
##
load replace {{$fwdir}}/{{$fwscript}}
commit

38
src/res/configlets/junos/script_skeleton Normal file
View File

@@ -0,0 +1,38 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/ios/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
{{$top_comment}}
{{$errors_and_warnings}}
#
# Prolog script:
#
{{$prolog_script}}
#
# End of prolog script:
#
{{$other_os_configuration_commands}}
{{$system_configuration_script}}
{{$policy_script}}
#
# Epilog script:
#
{{$epilog_script}}
# End of epilog script:
#
#

12
src/res/configlets/junos/top_comment Normal file
View File

@@ -0,0 +1,12 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_junosacl v{{$version}}
#
# Generated {{$timestamp}} {{$tz}} by {{$user}}
#
# Compiled for {{$platform}} {{$fw_version}}
#
{{$manifest}}
#
{{$comment}}

4
src/res/objects_init.xml.in
View File

@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="@FWBUILDER_XML_VERSION@" lastModified="1372251600" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="@FWBUILDER_XML_VERSION@" lastModified="1411516800" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@@ -119,6 +119,7 @@
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="junosacl">tcp-established</CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
@@ -128,6 +129,7 @@
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="junosacl">tcp-established</CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">

64
src/res/os/junos.xml Normal file
View File

@@ -0,0 +1,64 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources>
<Target name="junos">
<description>Juniper Junos</description>
<status>active</status>
<compiler>fwb_junosacl</compiler>
<family>junos</family>
<dialog>junos</dialog>
<cluster_dialog>basic</cluster_dialog>
<options>
<user_can_change_install_dir>true</user_can_change_install_dir>
<default>
</default>
<activation>
<fwdir>/tmp</fwdir>
<fwdir_test>/tmp</fwdir_test>
</activation>
</options>
<capabilities>
<supports_routing>True</supports_routing>
<supports_metric>True</supports_metric>
<supports_routing_itf>True</supports_routing_itf>
<supports_advanced_interface_options>False</supports_advanced_interface_options>
<supports_cluster>True</supports_cluster>
</capabilities>
<protocols>
<failover>
<string>none,None</string>
</failover>
<state_sync>
<string>none,None</string>
</state_sync>
<none>
<needs_master>False</needs_master>
<no_ip_ok>True</no_ip_ok>
<manage_addresses>True</manage_addresses>
<dialog></dialog>
</none>
</protocols>
<interfaces>
<cluster>
</cluster>
<firewall>
<string>ethernet,Ethernet</string>
</firewall>
</interfaces>
<subinterfaces>
<ethernet>
<string>8021q,VLAN</string>
<string>unknown,Unknown</string>
</ethernet>
</subinterfaces>
</Target>
</FWBuilderResources>

188
src/res/platform/junosacl.xml Normal file
View File

@@ -0,0 +1,188 @@
<?xml version="1.0"?>
<FWBuilderResources>
<Target name="junosacl">
<description>Juniper Junos ACL</description>
<status>active</status>
<group>Juniper</group>
<compiler>fwb_junosacl</compiler>
<dialog>junosacl</dialog>
<installer>fwb_inst_junosacl</installer>
<diff>fwb_junos_acl_diff</diff>
<supported_os>junos</supported_os>
<versions>11.2</versions>
<options>
<default>
<junosacl_include_comments>true</junosacl_include_comments>
<junosacl_add_clear_statements>true</junosacl_add_clear_statements>
<junosacl_assume_fw_part_of_any>true</junosacl_assume_fw_part_of_any>
</default>
<version_12.1>
<junosacl_include_comments>true</junosacl_include_comments>
<junosacl_add_clear_statements>true</junosacl_add_clear_statements>
<junosacl_assume_fw_part_of_any>true</junosacl_assume_fw_part_of_any>
<supports_mixed_service_groups>False</supports_mixed_service_groups>
<junosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list extended</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</junosacl_commands>
</version_12.1>
<version_12.2>
<junosacl_include_comments>true</junosacl_include_comments>
<junosacl_add_clear_statements>true</junosacl_add_clear_statements>
<junosacl_assume_fw_part_of_any>true</junosacl_assume_fw_part_of_any>
<supports_mixed_service_groups>False</supports_mixed_service_groups>
<junosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list extended</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</junosacl_commands>
</version_12.2>
<version_12.3>
<junosacl_include_comments>true</junosacl_include_comments>
<junosacl_add_clear_statements>true</junosacl_add_clear_statements>
<junosacl_assume_fw_part_of_any>true</junosacl_assume_fw_part_of_any>
<supports_mixed_service_groups>False</supports_mixed_service_groups>
<junosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list extended</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</junosacl_commands>
</version_12.3>
<version_12.4>
<junosacl_include_comments>true</junosacl_include_comments>
<junosacl_add_clear_statements>true</junosacl_add_clear_statements>
<junosacl_assume_fw_part_of_any>true</junosacl_assume_fw_part_of_any>
<supports_mixed_service_groups>False</supports_mixed_service_groups>
<junosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list extended</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</junosacl_commands>
</version_12.4>
</options>
<capabilities>
<negation_in_interface_policy>False</negation_in_interface_policy>
<negation_in_policy>False</negation_in_policy>
<negation_in_nat>False</negation_in_nat>
<logging_in_policy>True</logging_in_policy>
<options_in_policy>True</options_in_policy>
<supports_nat>False</supports_nat>
<actions_in_nat>False</actions_in_nat>
<inbound_interface_in_nat>False</inbound_interface_in_nat>
<outbound_interface_in_nat>False</outbound_interface_in_nat>
<supports_time>False</supports_time>
<supports_accounting>True</supports_accounting>
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>False</supports_cluster>
<install_only_on_primary>False</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>
<description>Accept</description>
<dialog_page>None</dialog_page>
</Accept>
<Deny>
<supported>True</supported>
<description>Deny</description>
<dialog_page>None</dialog_page>
</Deny>
<Reject>
<supported>True</supported>
<description>Reject</description>
<dialog_page>Reject</dialog_page>
</Reject>
<Accounting>
<supported>False</supported>
<description>Accounting</description>
<dialog_page>None</dialog_page>
</Accounting>
<Tag>
<supported>False</supported>
<description>Tag</description>
<dialog_page>None</dialog_page>
</Tag>
<Pipe>
<supported>False</supported>
<description>Pipe</description>
<dialog_page>None</dialog_page>
</Pipe>
<Classify>
<supported>False</supported>
<description>Classify</description>
<dialog_page>None</dialog_page>
</Classify>
<Custom>
<supported>False</supported>
<description>Custom</description>
<dialog_page>None</dialog_page>
</Custom>
<Branch>
<supported>False</supported>
<description>Branch</description>
<dialog_page>None</dialog_page>
</Branch>
<Route>
<supported>False</supported>
<description>Route</description>
<dialog_page>None</dialog_page>
</Route>
<Translate>
<supported>False</supported>
<description>Translate</description>
<dialog_page>None</dialog_page>
</Translate>
<NATBranch>
<supported>False</supported>
<description>Branch</description>
<dialog_page>None</dialog_page>
</NATBranch>
</actions>
</capabilities>
</Target>
</FWBuilderResources>

4
src/src.pro
View File

@@ -5,7 +5,7 @@ include(../qmake.inc)
TEMPLATE = subdirs
CONFIG += ordered
CONFIG += ordered debug
TARGET = src
@@ -27,6 +27,8 @@ SUBDIRS = libfwbuilder \
iosacl \
pix \
procurve_acl \
juniper_lib \
junosacl \
libgui \
fwbedit \
gui \