From 7e7f5509d267c3c4b06ef8df5e92357847db653a Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netcitadel.com>
Date: Mon, 24 Jan 2011 16:33:43 -0800
Subject: [PATCH] see #1970 ASA Policy - single IPv6 icmp object allowed in
 rules

---
 doc/ChangeLog                                 |  5 ++++
 src/cisco_lib/NATCompiler_asa8.cpp            |  6 +++--
 src/cisco_lib/NATCompiler_pix.cpp             |  6 +++--
 src/cisco_lib/PolicyCompiler_pix.cpp          |  6 +++--
 src/libfwbuilder/src/fwcompiler/Compiler.cpp  | 12 ++++++++--
 src/libfwbuilder/src/fwcompiler/Compiler.h    | 20 +++++++++++++---
 src/libfwbuilder/src/fwcompiler/NATCompiler.h | 16 ++++++++++++-
 .../src/fwcompiler/PolicyCompiler.cpp         |  3 +++
 .../src/fwcompiler/PolicyCompiler.h           | 24 ++++++++++++++++---
 9 files changed, 83 insertions(+), 15 deletions(-)

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 0abfa2ffa..4c5ebcfe7 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,10 @@
 2011-01-24  Vadim Kurland  <vadim@netcitadel.com>
 
+	* PolicyCompiler_pix.cpp (compile): see #1970 "ASA Policy - single
+	IPv6 icmp object allowed in rules". Since we do not support ipv6
+	for PIX/ASA at this time, policy compiler should drop the rule
+	if ipv6 address or icmpv6 service is used and issue a warning.
+
 	* PolicyCompiler_pix_v6_acls.cpp (processNext): see #1981 "ASA /
 	FWSM Policy - Generate warning message if rule will not generate
 	config data"
diff --git a/src/cisco_lib/NATCompiler_asa8.cpp b/src/cisco_lib/NATCompiler_asa8.cpp
index d9e091e75..64d396f76 100644
--- a/src/cisco_lib/NATCompiler_asa8.cpp
+++ b/src/cisco_lib/NATCompiler_asa8.cpp
@@ -329,8 +329,10 @@ void NATCompiler_asa8::compile()
     /*
      * We do not support ipv6 yet
      */
-    add( new DropIPv6Rules("drop ipv6 rules"));
-    add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
+    add( new DropIPv6RulesWithWarning(
+             "drop ipv6 rules",
+             "Rule has been suppressed because it contains IPv6 addresses"));
+    //add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
 
     add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC"));
     add( new eliminateDuplicatesInODST("eliminate duplicates in ODST"));
diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp
index f83ac9f9f..1a3c849d3 100644
--- a/src/cisco_lib/NATCompiler_pix.cpp
+++ b/src/cisco_lib/NATCompiler_pix.cpp
@@ -1688,8 +1688,10 @@ void NATCompiler_pix::compile()
     /*
      * We do not support ipv6 yet
      */
-    add( new DropIPv6Rules("drop ipv6 rules"));
-    add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
+    add( new DropIPv6RulesWithWarning(
+             "drop ipv6 rules",
+             "Rule has been suppressed because it contains IPv6 addresses"));
+    //add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
 
     add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC"));
     add( new eliminateDuplicatesInODST("eliminate duplicates in ODST"));
diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp
index 9178a3483..0de66af14 100644
--- a/src/cisco_lib/PolicyCompiler_pix.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix.cpp
@@ -523,8 +523,10 @@ void PolicyCompiler_pix::compile()
     /*
      * We do not support ipv6 yet
      */
-    add( new DropIPv6Rules("drop ipv6 rules"));
-    add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
+    add( new DropIPv6RulesWithWarning(
+             "drop ipv6 rules",
+             "Rule has been suppressed because it contains IPv6 addresses"));
+    //add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
 
     if ( fwopt->getBool("pix_assume_fw_part_of_any"))
     {
diff --git a/src/libfwbuilder/src/fwcompiler/Compiler.cpp b/src/libfwbuilder/src/fwcompiler/Compiler.cpp
index f2389f49f..41864f185 100644
--- a/src/libfwbuilder/src/fwcompiler/Compiler.cpp
+++ b/src/libfwbuilder/src/fwcompiler/Compiler.cpp
@@ -1253,7 +1253,11 @@ bool Compiler::dropRuleWithEmptyRE::processNext()
 
     if (PolicyRule::cast(rule) &&
         (isREEmpty(rule, RuleElementSrc::TYPENAME) ||
-         isREEmpty(rule, RuleElementDst::TYPENAME))) return true;
+         isREEmpty(rule, RuleElementDst::TYPENAME)))
+    {
+        if (!warning_str.empty()) compiler->warning(rule, warning_str);
+        return true;
+    }
 
     if (NATRule::cast(rule) && 
         (isREEmpty(rule, RuleElementOSrc::TYPENAME) ||
@@ -1261,7 +1265,11 @@ bool Compiler::dropRuleWithEmptyRE::processNext()
          isREEmpty(rule, RuleElementOSrv::TYPENAME) ||
          isREEmpty(rule, RuleElementTSrc::TYPENAME) ||
          isREEmpty(rule, RuleElementTDst::TYPENAME) ||
-         isREEmpty(rule, RuleElementTSrv::TYPENAME))) return true;
+         isREEmpty(rule, RuleElementTSrv::TYPENAME)))
+    {
+        if (!warning_str.empty())compiler->warning(rule, warning_str);
+        return true;
+    }
 
     tmp_queue.push_back(rule);
     return true;
diff --git a/src/libfwbuilder/src/fwcompiler/Compiler.h b/src/libfwbuilder/src/fwcompiler/Compiler.h
index fa1bec3bb..72de804a7 100644
--- a/src/libfwbuilder/src/fwcompiler/Compiler.h
+++ b/src/libfwbuilder/src/fwcompiler/Compiler.h
@@ -455,7 +455,8 @@ protected:
             std::string re_type;
             public:
             expandMultipleAddressesInRE(const std::string &name,
-                                        const std::string &t) : BasicRuleProcessor(name) { re_type=t; }
+                                        const std::string &t) :
+                BasicRuleProcessor(name) { re_type=t; }
             virtual bool processNext();
         };
 
@@ -464,11 +465,24 @@ protected:
 	 */
         class dropRuleWithEmptyRE : public BasicRuleProcessor
         {
+            std::string warning_str;
             bool isREEmpty(libfwbuilder::Rule *rule, const std::string &re_type);
             public:
-            dropRuleWithEmptyRE(const std::string &name) : BasicRuleProcessor(name)
-            { }
+            dropRuleWithEmptyRE(const std::string &name) :
+                BasicRuleProcessor(name) { warning_str = ""; }
             virtual bool processNext();
+            protected:
+            dropRuleWithEmptyRE(const std::string &name,
+                                const std::string &_warning) :
+                BasicRuleProcessor(name) { warning_str = _warning; }
+        };
+
+        class dropRuleWithEmptyREWithWarning : public dropRuleWithEmptyRE
+        {
+            public:
+            dropRuleWithEmptyREWithWarning(const std::string &name,
+                                const std::string &_warning) :
+                dropRuleWithEmptyRE(name, _warning) { }
         };
 
         /**
diff --git a/src/libfwbuilder/src/fwcompiler/NATCompiler.h b/src/libfwbuilder/src/fwcompiler/NATCompiler.h
index c16423d69..a11568a05 100644
--- a/src/libfwbuilder/src/fwcompiler/NATCompiler.h
+++ b/src/libfwbuilder/src/fwcompiler/NATCompiler.h
@@ -182,12 +182,19 @@ namespace fwcompiler {
          */
         class DropRulesByAddressFamilyAndServiceType : public NATRuleProcessor
         {
+            std::string warning_str;
             bool drop_ipv6;
             public:
             DropRulesByAddressFamilyAndServiceType(const std::string &n,
                                      bool ipv6) : NATRuleProcessor(n)
-            { drop_ipv6 = ipv6; }
+            { drop_ipv6 = ipv6; warning_str = ""; }
             virtual bool processNext();
+            protected:
+            DropRulesByAddressFamilyAndServiceType(
+                const std::string &n,
+                const std::string &w,
+                bool ipv6) : NATRuleProcessor(n)
+            { drop_ipv6 = ipv6; warning_str = w; }
         };
 
         /**
@@ -212,6 +219,13 @@ namespace fwcompiler {
               DropRulesByAddressFamilyAndServiceType(n, true) {};
         };
 
+        class DropIPv6RulesWithWarning : public DropRulesByAddressFamilyAndServiceType
+        {
+            public:
+            DropIPv6RulesWithWarning(const std::string &n, const std::string &w) :
+                DropRulesByAddressFamilyAndServiceType(n, w, true) {};
+        };
+
         /**
          *  deals with recursive groups in OSrc. See description for
          *  Compiler::recursiveGroupsInRE
diff --git a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp
index 7b434dd00..d3409b936 100644
--- a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp
+++ b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp
@@ -1152,6 +1152,7 @@ bool PolicyCompiler::DropRulesByAddressFamilyAndServiceType::processNext()
     {
         // removing all ipv6 addresses from source makes it 'any', drop
         // this rule
+        if (!warning_str.empty()) compiler->warning(rule, warning_str);
         return true;
     }
 
@@ -1159,6 +1160,7 @@ bool PolicyCompiler::DropRulesByAddressFamilyAndServiceType::processNext()
     {
         // removing all ipv6 addresses from destination makes it 'any', drop
         // this rule
+        if (!warning_str.empty()) compiler->warning(rule, warning_str);
         return true;
     }
 
@@ -1166,6 +1168,7 @@ bool PolicyCompiler::DropRulesByAddressFamilyAndServiceType::processNext()
     {
         // removing all ipv6 addresses from service makes it 'any', drop
         // this rule
+        if (!warning_str.empty()) compiler->warning(rule, warning_str);
         return true;
     }
 
diff --git a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.h b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.h
index 9e65623b4..b8a8105b4 100644
--- a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.h
+++ b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.h
@@ -262,12 +262,19 @@ namespace fwcompiler {
          */
         class DropRulesByAddressFamilyAndServiceType : public PolicyRuleProcessor
         {
+            std::string warning_str;
             bool drop_ipv6;
             public:
-            DropRulesByAddressFamilyAndServiceType(const std::string &n,
-                                     bool ipv6) : PolicyRuleProcessor(n)
-            { drop_ipv6 = ipv6; }
+            DropRulesByAddressFamilyAndServiceType(
+                const std::string &n, bool ipv6) : PolicyRuleProcessor(n)
+            { drop_ipv6 = ipv6; warning_str = ""; }
             virtual bool processNext();
+            protected:
+            DropRulesByAddressFamilyAndServiceType(
+                const std::string &n,
+                const std::string &w,
+                bool ipv6) : PolicyRuleProcessor(n)
+            { drop_ipv6 = ipv6; warning_str = w; }
         };
 
         /**
@@ -292,6 +299,17 @@ namespace fwcompiler {
               DropRulesByAddressFamilyAndServiceType(n, true) {};
         };
 
+        /**
+         * Drop rule if any address object in source or destination is
+         * ipv6 address and issue warning
+         */
+        class DropIPv6RulesWithWarning : public DropRulesByAddressFamilyAndServiceType
+        {
+            public:
+            DropIPv6RulesWithWarning(const std::string &n, const std::string &w) :
+                DropRulesByAddressFamilyAndServiceType(n, w, true) {};
+        };
+
         /**
          *  deals with recursive groups in Src. See description for
          *  Compiler::recursiveGroupsInRE