onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

see #1970 ASA Policy - single IPv6 icmp object allowed in rules

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-24 16:33:43 -08:00
parent 83ac66edff
commit 7e7f5509d2
9 changed files with 83 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/ChangeLog
View File

@ -1,5 +1,10 @@
2011-01-24 Vadim Kurland <vadim@netcitadel.com>
* PolicyCompiler_pix.cpp (compile): see #1970 "ASA Policy - single
IPv6 icmp object allowed in rules". Since we do not support ipv6
for PIX/ASA at this time, policy compiler should drop the rule
if ipv6 address or icmpv6 service is used and issue a warning.
* PolicyCompiler_pix_v6_acls.cpp (processNext): see #1981 "ASA /
FWSM Policy - Generate warning message if rule will not generate
config data"

6
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -329,8 +329,10 @@ void NATCompiler_asa8::compile()
/*
* We do not support ipv6 yet
*/
add( new DropIPv6Rules("drop ipv6 rules"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new DropIPv6RulesWithWarning(
"drop ipv6 rules",
"Rule has been suppressed because it contains IPv6 addresses"));
//add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC"));
add( new eliminateDuplicatesInODST("eliminate duplicates in ODST"));

6
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -1688,8 +1688,10 @@ void NATCompiler_pix::compile()
/*
* We do not support ipv6 yet
*/
add( new DropIPv6Rules("drop ipv6 rules"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new DropIPv6RulesWithWarning(
"drop ipv6 rules",
"Rule has been suppressed because it contains IPv6 addresses"));
//add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC"));
add( new eliminateDuplicatesInODST("eliminate duplicates in ODST"));

6
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -523,8 +523,10 @@ void PolicyCompiler_pix::compile()
/*
* We do not support ipv6 yet
*/
add( new DropIPv6Rules("drop ipv6 rules"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new DropIPv6RulesWithWarning(
"drop ipv6 rules",
"Rule has been suppressed because it contains IPv6 addresses"));
//add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
if ( fwopt->getBool("pix_assume_fw_part_of_any"))
{

12
src/libfwbuilder/src/fwcompiler/Compiler.cpp
View File

@ -1253,7 +1253,11 @@ bool Compiler::dropRuleWithEmptyRE::processNext()
if (PolicyRule::cast(rule) &&
(isREEmpty(rule, RuleElementSrc::TYPENAME) ||
isREEmpty(rule, RuleElementDst::TYPENAME))) return true;
isREEmpty(rule, RuleElementDst::TYPENAME)))
{
if (!warning_str.empty()) compiler->warning(rule, warning_str);
return true;
}
if (NATRule::cast(rule) &&
(isREEmpty(rule, RuleElementOSrc::TYPENAME) ||
@ -1261,7 +1265,11 @@ bool Compiler::dropRuleWithEmptyRE::processNext()
isREEmpty(rule, RuleElementOSrv::TYPENAME) ||
isREEmpty(rule, RuleElementTSrc::TYPENAME) ||
isREEmpty(rule, RuleElementTDst::TYPENAME) ||
isREEmpty(rule, RuleElementTSrv::TYPENAME))) return true;
isREEmpty(rule, RuleElementTSrv::TYPENAME)))
{
if (!warning_str.empty())compiler->warning(rule, warning_str);
return true;
}
tmp_queue.push_back(rule);
return true;

20
src/libfwbuilder/src/fwcompiler/Compiler.h
View File

@ -455,7 +455,8 @@ protected:
std::string re_type;
public:
expandMultipleAddressesInRE(const std::string &name,
const std::string &t) : BasicRuleProcessor(name) { re_type=t; }
const std::string &t) :
BasicRuleProcessor(name) { re_type=t; }
virtual bool processNext();
};
@ -464,11 +465,24 @@ protected:
*/
class dropRuleWithEmptyRE : public BasicRuleProcessor
{
std::string warning_str;
bool isREEmpty(libfwbuilder::Rule *rule, const std::string &re_type);
public:
dropRuleWithEmptyRE(const std::string &name) : BasicRuleProcessor(name)
{ }
dropRuleWithEmptyRE(const std::string &name) :
BasicRuleProcessor(name) { warning_str = ""; }
virtual bool processNext();
protected:
dropRuleWithEmptyRE(const std::string &name,
const std::string &_warning) :
BasicRuleProcessor(name) { warning_str = _warning; }
};
class dropRuleWithEmptyREWithWarning : public dropRuleWithEmptyRE
{
public:
dropRuleWithEmptyREWithWarning(const std::string &name,
const std::string &_warning) :
dropRuleWithEmptyRE(name, _warning) { }
};
/**

16
src/libfwbuilder/src/fwcompiler/NATCompiler.h
View File

@ -182,12 +182,19 @@ namespace fwcompiler {
*/
class DropRulesByAddressFamilyAndServiceType : public NATRuleProcessor
{
std::string warning_str;
bool drop_ipv6;
public:
DropRulesByAddressFamilyAndServiceType(const std::string &n,
bool ipv6) : NATRuleProcessor(n)
{ drop_ipv6 = ipv6; }
{ drop_ipv6 = ipv6; warning_str = ""; }
virtual bool processNext();
protected:
DropRulesByAddressFamilyAndServiceType(
const std::string &n,
const std::string &w,
bool ipv6) : NATRuleProcessor(n)
{ drop_ipv6 = ipv6; warning_str = w; }
};
/**
@ -212,6 +219,13 @@ namespace fwcompiler {
DropRulesByAddressFamilyAndServiceType(n, true) {};
};
class DropIPv6RulesWithWarning : public DropRulesByAddressFamilyAndServiceType
{
public:
DropIPv6RulesWithWarning(const std::string &n, const std::string &w) :
DropRulesByAddressFamilyAndServiceType(n, w, true) {};
};
/**
* deals with recursive groups in OSrc. See description for
* Compiler::recursiveGroupsInRE

3
src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp
View File

@ -1152,6 +1152,7 @@ bool PolicyCompiler::DropRulesByAddressFamilyAndServiceType::processNext()
{
// removing all ipv6 addresses from source makes it 'any', drop
// this rule
if (!warning_str.empty()) compiler->warning(rule, warning_str);
return true;
}
@ -1159,6 +1160,7 @@ bool PolicyCompiler::DropRulesByAddressFamilyAndServiceType::processNext()
{
// removing all ipv6 addresses from destination makes it 'any', drop
// this rule
if (!warning_str.empty()) compiler->warning(rule, warning_str);
return true;
}
@ -1166,6 +1168,7 @@ bool PolicyCompiler::DropRulesByAddressFamilyAndServiceType::processNext()
{
// removing all ipv6 addresses from service makes it 'any', drop
// this rule
if (!warning_str.empty()) compiler->warning(rule, warning_str);
return true;
}

24
src/libfwbuilder/src/fwcompiler/PolicyCompiler.h
View File

@ -262,12 +262,19 @@ namespace fwcompiler {
*/
class DropRulesByAddressFamilyAndServiceType : public PolicyRuleProcessor
{
std::string warning_str;
bool drop_ipv6;
public:
DropRulesByAddressFamilyAndServiceType(const std::string &n,
bool ipv6) : PolicyRuleProcessor(n)
{ drop_ipv6 = ipv6; }
DropRulesByAddressFamilyAndServiceType(
const std::string &n, bool ipv6) : PolicyRuleProcessor(n)
{ drop_ipv6 = ipv6; warning_str = ""; }
virtual bool processNext();
protected:
DropRulesByAddressFamilyAndServiceType(
const std::string &n,
const std::string &w,
bool ipv6) : PolicyRuleProcessor(n)
{ drop_ipv6 = ipv6; warning_str = w; }
};
/**
@ -292,6 +299,17 @@ namespace fwcompiler {
DropRulesByAddressFamilyAndServiceType(n, true) {};
};
/**
* Drop rule if any address object in source or destination is
* ipv6 address and issue warning
*/
class DropIPv6RulesWithWarning : public DropRulesByAddressFamilyAndServiceType
{
public:
DropIPv6RulesWithWarning(const std::string &n, const std::string &w) :
DropRulesByAddressFamilyAndServiceType(n, w, true) {};
};
/**
* deals with recursive groups in Src. See description for
* Compiler::recursiveGroupsInRE