onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-25 12:47:44 +01:00
Code Issues Releases Wiki Activity

refs #1107 preparing for object-group support for IOS. Added BaseObjectGroup class

Browse Source
This commit is contained in:
Vadim Kurland 2010-01-20 23:24:54 +00:00
parent 325f12f29a
commit 7385aeb4c0
9 changed files with 320 additions and 282 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2400
#define BUILD_NUM 2401

106
src/cisco_lib/BaseObjectGroup.cpp Normal file
View File

@ -0,0 +1,106 @@
/*
Firewall Builder
Copyright (C) 2002 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "BaseObjectGroup.h"
#include <iostream>
#include <sstream>
using namespace libfwbuilder;
using namespace std;
map<string,int> BaseObjectGroup::nc;
const char *BaseObjectGroup::TYPENAME={"BaseObjectGroup"};
string BaseObjectGroup::registerGroupName(const std::string &prefix)
{
ostringstream str;
str << prefix;
switch (getObjectGroupType())
{
case UNKNOWN: str << ".unknown"; break;
case NETWORK: str << ".net"; break;
case PROTO: str << ".proto"; break;
case ICMP_TYPE: str << ".icmp"; break;
case TCP_SERVICE: str << ".tcp"; break;
case UDP_SERVICE: str << ".udp"; break;
}
int n=nc[str.str()];
nc[str.str()]=n+1;
str << "." << n;
return str.str();
}
void BaseObjectGroup::setName(const std::string &prefix)
{
FWObject::setName( registerGroupName(prefix) );
}
bool BaseObjectGroup::isServiceGroup()
{
switch (getObjectGroupType())
{
case PROTO: return true;
case ICMP_TYPE: return true;
case TCP_SERVICE: return true;
case UDP_SERVICE: return true;
default: return false;
}
return false;
}
bool BaseObjectGroup::isObjectGroup()
{
switch (getObjectGroupType())
{
case UNKNOWN: return true;
case NETWORK: return true;
default: return false;
}
return false;
}
string BaseObjectGroup::getSrvTypeName()
{
switch (getObjectGroupType())
{
case ICMP_TYPE: return "icmp";
case TCP_SERVICE: return "tcp";
case UDP_SERVICE: return "udp";
default: break;
}
return "";
}
string BaseObjectGroup::toString() throw(FWException)
{
return "";
}

68
src/cisco_lib/BaseObjectGroup.h Normal file
View File

@ -0,0 +1,68 @@
/*
Firewall Builder
Copyright (C) 2002 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __BASEOBJECTGROUP_HH
#define __BASEOBJECTGROUP_HH
#include "fwbuilder/FWObject.h"
#include "fwbuilder/ObjectGroup.h"
#include "fwbuilder/ServiceGroup.h"
#include "fwbuilder/FWException.h"
typedef enum { UNKNOWN,
NETWORK,
PROTO,
ICMP_TYPE,
TCP_SERVICE,
UDP_SERVICE } pix_group_type;
class BaseObjectGroup : public libfwbuilder::Group {
private:
pix_group_type gt;
static std::map<std::string,int> nc;
protected:
std::string registerGroupName(const std::string &prefix);
public:
BaseObjectGroup(pix_group_type _gt=UNKNOWN) : libfwbuilder::Group() { gt=_gt; }
virtual ~BaseObjectGroup() {};
DECLARE_FWOBJECT_SUBTYPE(BaseObjectGroup);
virtual bool validateChild(FWObject*) { return true; }
void setObjectGroupType(pix_group_type _gt) { gt=_gt; }
pix_group_type getObjectGroupType() { return gt; }
virtual void setName(const std::string &prefix);
bool isServiceGroup();
bool isObjectGroup();
std::string getSrvTypeName();
virtual std::string toString() throw(libfwbuilder::FWException);
};
#endif

190
src/cisco_lib/PIXObjectGroup.cpp
View File

@ -27,92 +27,126 @@
#include "PIXObjectGroup.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include <iostream>
#include <sstream>
using namespace libfwbuilder;
using namespace std;
map<string,int> PIXGroup::nc;
const char *PIXGroup::TYPENAME={"PIXGroup"};
string PIXGroup::registerGroupName(const std::string &prefix)
{
ostringstream str;
str << prefix;
switch (getPIXGroupType())
{
case UNKNOWN: str << ".unknown"; break;
case NETWORK: str << ".net"; break;
case PROTO: str << ".proto"; break;
case ICMP_TYPE: str << ".icmp"; break;
case TCP_SERVICE: str << ".tcp"; break;
case UDP_SERVICE: str << ".udp"; break;
}
int n=nc[str.str()];
nc[str.str()]=n+1;
str << "." << n;
return str.str();
}
void PIXGroup::setName(const std::string &prefix)
{
FWObject::setName( registerGroupName(prefix) );
}
bool PIXGroup::isServiceGroup()
{
switch (getPIXGroupType())
{
case PROTO: return true;
case ICMP_TYPE: return true;
case TCP_SERVICE: return true;
case UDP_SERVICE: return true;
default: return false;
}
return false;
}
bool PIXGroup::isObjectGroup()
{
switch (getPIXGroupType())
{
case UNKNOWN: return true;
case NETWORK: return true;
default: return false;
}
return false;
}
string PIXGroup::getSrvTypeName()
{
switch (getPIXGroupType())
{
case ICMP_TYPE: return "icmp";
case TCP_SERVICE: return "tcp";
case UDP_SERVICE: return "udp";
default: break;
}
return "";
}
#if 0
void PIXServiceGroup::setName(const std::string &prefix)
{
FWObject::setName( registerGroupName(prefix) );
}
const char *PIXObjectGroup::TYPENAME={"PIXObjectGroup"};
PIXObjectGroup::PIXObjectGroup(pix_group_type _gt) :
ObjectGroup(), PIXGroup(_gt) {}
string PIXObjectGroup::toString() throw(FWException)
{
ostringstream ostr;
if (this->size()==0) return "";
const char *PIXServiceGroup::TYPENAME={"PIXServiceGroup"};
switch (this->getObjectGroupType())
{
case NETWORK:
ostr << "object-group network "
<< this->getName() << endl;
break;
case PROTO:
ostr << "object-group protocol "
<< this->getName() << endl;
break;
case ICMP_TYPE:
ostr << "object-group icmp-type "
<< this->getName() << endl;
break;
case TCP_SERVICE:
ostr << "object-group service "
<< this->getName() << " tcp" << endl;
break;
case UDP_SERVICE:
ostr << "object-group service "
<< this->getName() << " udp" << endl;
break;
default:
throw FWException("Unknown object group type");
}
PIXServiceGroup::PIXServiceGroup(pix_group_type _gt) :
ServiceGroup(), PIXGroup(_gt) {}
for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
switch (this->getObjectGroupType())
{
case NETWORK:
{
Address *a = Address::cast(obj);
assert(a!=NULL);
const InetAddr *addr = a->getAddressPtr();
ostr << " network-object ";
if (Network::cast(obj)!=NULL)
{
const InetAddr *mask = a->getNetmaskPtr();
ostr << addr->toString() << " ";
ostr << mask->toString() << " ";
} else {
ostr << " host ";
ostr << addr->toString() << " ";
}
ostr << endl;
break;
}
case PROTO:
{
ostr << " protocol-object ";
Service *s=Service::cast(obj);
assert(s!=NULL);
ostr << s->getProtocolName();
ostr << endl;
break;
}
case ICMP_TYPE:
{
ostr << " icmp-object ";
ICMPService *s=ICMPService::cast(obj);
assert(s!=NULL);
if ( s->getInt("type")== -1)
ostr << "any";
else
ostr << s->getInt("type");
ostr << endl;
break;
}
case TCP_SERVICE:
case UDP_SERVICE:
{
ostr << " port-object ";
Service *s=Service::cast(obj);
assert(s!=NULL);
int rs=TCPUDPService::cast(s)->getDstRangeStart();
int re=TCPUDPService::cast(s)->getDstRangeEnd();
if (rs<0) rs=0;
if (re<0) re=0;
if (rs>0 || re>0) {
if (rs==re) ostr << "eq " << rs;
else ostr << "range " << rs << " " << re;
}
else ostr << "range 0 65535";
ostr << endl;
break;
}
default:
throw FWException("Unknown object group type");
}
}
ostr << " exit" << endl << endl;
return ostr.str();
}
#endif

61
src/cisco_lib/PIXObjectGroup.h
View File

@ -26,69 +26,18 @@
#ifndef __PIXOBJECTGROUP_HH
#define __PIXOBJECTGROUP_HH
#include "fwbuilder/FWObject.h"
#include "fwbuilder/ObjectGroup.h"
#include "fwbuilder/ServiceGroup.h"
#include "BaseObjectGroup.h"
typedef enum { UNKNOWN,
NETWORK,
PROTO,
ICMP_TYPE,
TCP_SERVICE,
UDP_SERVICE } pix_group_type;
class PIXGroup : public libfwbuilder::Group {
private:
pix_group_type gt;
static std::map<std::string,int> nc;
protected:
std::string registerGroupName(const std::string &prefix);
class PIXObjectGroup : public BaseObjectGroup {
public:
PIXGroup(pix_group_type _gt=UNKNOWN) : libfwbuilder::Group() { gt=_gt; }
virtual ~PIXGroup() {};
DECLARE_FWOBJECT_SUBTYPE(PIXGroup);
virtual bool validateChild(FWObject*) { return true; }
void setPIXGroupType(pix_group_type _gt) { gt=_gt; }
pix_group_type getPIXGroupType() { return gt; }
virtual void setName(const std::string &prefix);
bool isServiceGroup();
bool isObjectGroup();
std::string getSrvTypeName();
};
#if 0
class PIXObjectGroup : public libfwbuilder::ObjectGroup
{
private:
pix_group_type gt;
public:
PIXObjectGroup(pix_group_type _gt=NETWORK) : ObjectGroup() { gt=_gt; }
PIXObjectGroup(pix_group_type _gt=UNKNOWN) : BaseObjectGroup(_gt) { }
virtual ~PIXObjectGroup() {};
DECLARE_FWOBJECT_SUBTYPE(PIXObjectGroup);
virtual bool validateChild(FWObject *o) { if (o==NULL) ; return true; }
virtual void setName(const std::string &prefix);
virtual std::string toString() throw(libfwbuilder::FWException);
};
class PIXServiceGroup : public libfwbuilder::ServiceGroup
{
private:
pix_group_type gt;
public:
PIXServiceGroup(pix_group_type _gt=UNKNOWN) : ServiceGroup() { gt=_gt; }
virtual ~PIXServiceGroup() {};
DECLARE_FWOBJECT_SUBTYPE(PIXServiceGroup);
virtual bool validateChild(FWObject *o) { if (o==NULL) ; return true; }
virtual void setName(const std::string &prefix);
};
#endif
#endif

18
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -579,7 +579,7 @@ bool PolicyCompiler_pix::AvoidObjectGroup::processNext()
return true;
}
PIXGroup* PolicyCompiler_pix::CreateObjectGroups::findObjectGroup(RuleElement *re)
PIXObjectGroup* PolicyCompiler_pix::CreateObjectGroups::findObjectGroup(RuleElement *re)
{
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
@ -596,7 +596,7 @@ PIXGroup* PolicyCompiler_pix::CreateObjectGroups::findObjectGroup(RuleElement *r
for (FWObject::iterator i=pix_comp->object_groups->begin();
i!=pix_comp->object_groups->end(); ++i)
{
PIXGroup *og=dynamic_cast<PIXGroup*>(*i);
PIXObjectGroup *og=dynamic_cast<PIXObjectGroup*>(*i);
assert(og!=NULL);
if (og->size()==0 || (og->size()!=re->size()) ) continue;
@ -633,18 +633,18 @@ bool PolicyCompiler_pix::CreateObjectGroups::processNext()
return true;
}
PIXGroup *obj_group = findObjectGroup(re);
PIXObjectGroup *obj_group = findObjectGroup(re);
if (obj_group==NULL)
{
obj_group= new PIXGroup();
obj_group= new PIXObjectGroup();
FWObject *o = re->front();
FWObject *obj = FWReference::getObject(o);
if (Address::cast(obj)!=NULL) obj_group->setPIXGroupType(NETWORK);
if (IPService::cast(obj)!=NULL) obj_group->setPIXGroupType(PROTO);
if (ICMPService::cast(obj)!=NULL) obj_group->setPIXGroupType(ICMP_TYPE);
if (TCPService::cast(obj)!=NULL) obj_group->setPIXGroupType(TCP_SERVICE);
if (UDPService::cast(obj)!=NULL) obj_group->setPIXGroupType(UDP_SERVICE);
if (Address::cast(obj)!=NULL) obj_group->setObjectGroupType(NETWORK);
if (IPService::cast(obj)!=NULL) obj_group->setObjectGroupType(PROTO);
if (ICMPService::cast(obj)!=NULL) obj_group->setObjectGroupType(ICMP_TYPE);
if (TCPService::cast(obj)!=NULL) obj_group->setObjectGroupType(TCP_SERVICE);
if (UDPService::cast(obj)!=NULL) obj_group->setObjectGroupType(UDP_SERVICE);
obj_group->setName(
rule_iface->getLabel()+"."+rule->getUniqueId()+"."+name_suffix);

2
src/cisco_lib/PolicyCompiler_pix.h
View File

@ -208,7 +208,7 @@ namespace fwcompiler {
{
std::string re_type;
std::string name_suffix;
PIXGroup* findObjectGroup(libfwbuilder::RuleElement *re);
PIXObjectGroup* findObjectGroup(libfwbuilder::RuleElement *re);
public:
CreateObjectGroups(const std::string &name,
const std::string &_ns,

145
src/cisco_lib/PolicyCompiler_pix_writers.cpp
View File

@ -118,112 +118,20 @@ bool PolicyCompiler_pix::PrintObjectGroupsAndClearCommands::processNext()
for (FWObject::iterator i=pix_comp->object_groups->begin();
i!=pix_comp->object_groups->end(); ++i)
{
PIXGroup *og=dynamic_cast<PIXGroup*>(*i);
PIXObjectGroup *og=dynamic_cast<PIXObjectGroup*>(*i);
assert(og!=NULL);
if (og->size()==0) continue;
pix_comp->output << endl;
switch (og->getPIXGroupType())
try
{
case NETWORK:
pix_comp->output << "object-group network "
<< og->getName() << endl;
break;
case PROTO:
pix_comp->output << "object-group protocol "
<< og->getName() << endl;
break;
case ICMP_TYPE:
pix_comp->output << "object-group icmp-type "
<< og->getName() << endl;
break;
case TCP_SERVICE:
pix_comp->output << "object-group service "
<< og->getName() << " tcp" << endl;
break;
case UDP_SERVICE:
pix_comp->output << "object-group service "
<< og->getName() << " udp" << endl;
break;
default:
compiler->abort("Unknown object group type");
}
for (FWObject::iterator i1=og->begin(); i1!=og->end(); ++i1)
pix_comp->output << og->toString();
} catch (FWException &ex)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
switch (og->getPIXGroupType())
{
case NETWORK:
{
Address *a=Address::cast(obj);
assert(a!=NULL);
const InetAddr *addr = a->getAddressPtr();
pix_comp->output << " network-object ";
if (Network::cast(obj)!=NULL)
{
const InetAddr *mask = a->getNetmaskPtr();
pix_comp->output << addr->toString() << " ";
pix_comp->output << mask->toString() << " ";
} else {
pix_comp->output << " host ";
pix_comp->output << addr->toString() << " ";
}
pix_comp->output << endl;
break;
}
case PROTO:
{
pix_comp->output << " protocol-object ";
Service *s=Service::cast(obj);
assert(s!=NULL);
pix_comp->output << s->getProtocolName();
pix_comp->output << endl;
break;
}
case ICMP_TYPE:
{
pix_comp->output << " icmp-object ";
ICMPService *s=ICMPService::cast(obj);
assert(s!=NULL);
if ( s->getInt("type")== -1)
pix_comp->output << "any";
else
pix_comp->output << s->getInt("type");
pix_comp->output << endl;
break;
}
case TCP_SERVICE:
case UDP_SERVICE:
{
pix_comp->output << " port-object ";
Service *s=Service::cast(obj);
assert(s!=NULL);
int rs=TCPUDPService::cast(s)->getDstRangeStart();
int re=TCPUDPService::cast(s)->getDstRangeEnd();
if (rs<0) rs=0;
if (re<0) re=0;
if (rs>0 || re>0) {
if (rs==re) compiler->output << "eq " << rs;
else compiler->output << "range " << rs << " " << re;
}
else compiler->output << "range 0 65535";
pix_comp->output << endl;
break;
}
default:
compiler->abort("Unknown object group type");
}
compiler->abort(ex.toString());
}
pix_comp->output << " exit" << endl << endl;
}
return true;
@ -433,8 +341,8 @@ string PolicyCompiler_pix::PrintRule::_printICMPCommand(PolicyRule *rule)
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
assert(rule_iface);
if ( PIXGroup::cast(srv)!=NULL &&
PIXGroup::cast(srv)->getPIXGroupType()==ICMP_TYPE)
if ( PIXObjectGroup::cast(srv)!=NULL &&
PIXObjectGroup::cast(srv)->getObjectGroupType()==ICMP_TYPE)
{
for (FWObject::iterator i1=srv->begin(); i1!=srv->end(); ++i1)
{
@ -494,7 +402,7 @@ string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
// Address *a;
if (dynamic_cast<PIXGroup*>(o)!=NULL)
if (dynamic_cast<PIXObjectGroup*>(o)!=NULL)
{
for (FWObject::iterator j=o->begin(); j!=o->end(); ++j)
{
@ -553,8 +461,7 @@ bool PolicyCompiler_pix::PrintRule::processNext()
{
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
// FWOptions *ruleopt =rule->getOptionsObject();
bool write_comments= compiler->fw->getOptionsObject()->getBool("pix_include_comments");
//bool write_comments= compiler->fw->getOptionsObject()->getBool("pix_include_comments");
tmp_queue.push_back(rule);
@ -562,34 +469,6 @@ bool PolicyCompiler_pix::PrintRule::processNext()
compiler->output << compiler->printComment(rule, current_rule_label1, "!");
#if 0
string rl=rule->getLabel();
if (write_comments && !compiler->inSingleRuleCompileMode())
{
if (rl!=current_rule_label1)
{
comment << "! " << endl;
comment << "! Rule " << rl << endl;
string comm=rule->getComment();
string::size_type c1,c2;
c1=0;
while ( (c2=comm.find('\n',c1))!=string::npos ) {
comment << "! " << comm.substr(c1,c2-c1) << endl;
c1=c2+1;
}
comment << "! " << comm.substr(c1) << endl;
comment << "! " << endl;
current_rule_label1 = rl;
compiler->output << comment.str();
}
}
string err = rule->getStr(".error_msg");
if (!err.empty()) compiler->output << "! " << err << endl;
#endif
if (rule->getBool("icmp_cmd"))
{
compiler->output << _printICMPCommand(rule);
@ -671,9 +550,9 @@ bool PolicyCompiler_pix::PrintRule::processNext()
* object-group in protocol part of ACL.
*/
PIXGroup *pgsrv = PIXGroup::cast(srvobj);
PIXGroup *pgsrc = PIXGroup::cast(srcobj);
PIXGroup *pgdst = PIXGroup::cast(dstobj);
PIXObjectGroup *pgsrv = PIXObjectGroup::cast(srvobj);
PIXObjectGroup *pgsrc = PIXObjectGroup::cast(srcobj);
PIXObjectGroup *pgdst = PIXObjectGroup::cast(dstobj);
if ( pgsrv!=NULL && pgsrv->isServiceGroup())
aclstr << pgsrv->getSrvTypeName();

10
src/cisco_lib/cisco_lib.pro
View File

@ -23,6 +23,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
NATCompiler_pix_writers.cpp \
OSConfigurator_pix_os.cpp \
OSConfigurator_pix_os_fixups.cpp \
BaseObjectGroup.cpp \
PIXObjectGroup.cpp \
PolicyCompiler_pix.cpp \
PolicyCompiler_pix_writers.cpp \
@ -35,15 +36,16 @@ HEADERS = ../../config.h \
Helper.h \
PolicyCompiler_cisco.h \
RoutingCompiler_cisco.h \
CompilerDriver_iosacl.h \
OSConfigurator_ios.h \
PolicyCompiler_iosacl.h \
CompilerDriver_iosacl.h \
OSConfigurator_ios.h \
PolicyCompiler_iosacl.h \
CompilerDriver_pix.h \
NATCompiler_pix.h \
OSConfigurator_pix_os.h \
BaseObjectGroup.h \
PIXObjectGroup.h \
PolicyCompiler_pix.h \
RoutingCompiler_pix.h \
RoutingCompiler_pix.h \
macx:LIBS += $$LIBS_FWCOMPILER