onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

see #1970 1) suppress rules that hold ipv6 objects from policy and nat rule sets because we do not support ipv6 at this time 2) moved rule processor dropRuleWithEmptyRE to class Compiler to avoid duplication of code

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-24 14:42:06 -08:00
parent 5961400eb4
commit 83ac66edff
9 changed files with 68 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -326,6 +326,10 @@ void NATCompiler_asa8::compile()
add( new ExpandGroups("expand groups"));
/*
* We do not support ipv6 yet
*/
add( new DropIPv6Rules("drop ipv6 rules"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC"));

4
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -1685,6 +1685,10 @@ void NATCompiler_pix::compile()
add( new ExpandGroups("expand groups"));
/*
* We do not support ipv6 yet
*/
add( new DropIPv6Rules("drop ipv6 rules"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC"));

38
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -449,7 +449,8 @@ void PolicyCompiler_pix::compile()
add( new printTotalNumberOfRules ( ));
add( new ItfNegation( "process negation in Itf" ));
add( new InterfacePolicyRules("process interface policy rules and store interface ids"));
add( new InterfacePolicyRules("process interface policy rules and "
"store interface ids"));
add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ));
add( new recursiveGroupsInDst( "check for recursive groups in DST" ));
@ -510,7 +511,8 @@ void PolicyCompiler_pix::compile()
add( new expandGroupsInItf("expand groups in Interface" ));
add( new replaceClusterInterfaceInItf(
"replace cluster interfaces with member interfaces in the Interface rule element"));
"replace cluster interfaces with member interfaces in "
"the Interface rule element"));
add( new ItfNegation( "process negation in Itf" ));
add( new InterfacePolicyRules(
"process interface policy rules and store interface ids"));
@ -518,6 +520,12 @@ void PolicyCompiler_pix::compile()
if (XMLTools::version_compare(vers, "8.3")<0)
add( new addressRanges("process address ranges" ));
/*
* We do not support ipv6 yet
*/
add( new DropIPv6Rules("drop ipv6 rules"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
if ( fwopt->getBool("pix_assume_fw_part_of_any"))
{
// Note that this splits the rule if Dst==any and one or more
@ -536,12 +544,7 @@ void PolicyCompiler_pix::compile()
add( new separateSrcPort("split rules matching source ports"));
add( new separateCustom("split rules matching custom services"));
// if (XMLTools::version_compare(vers, "8.0")<0)
add( new groupServicesByProtocol("split rules with different protocols"));
// else
// add( new groupTCPUDPServices(
// "split rules to keep TCP and UDP services separate "
// "from other protocols"));
add( new groupServicesByProtocol("split rules with different protocols"));
add( new PrepareForICMPCmd("prepare for icmp command" ));
@ -567,15 +570,15 @@ void PolicyCompiler_pix::compile()
add( new checkForUnnumbered( "check for unnumbered interfaces" ));
//add( new addressRanges("process address ranges" ));
if (outbound_acl_supported )
{
// Call these after splitIfSrcMatchesFw and splitIfDstMatchesFw
add( new setInterfaceAndDirectionBySrc(
"Set interface and direction for rules with interface 'all' using SRC; v7"));
"Set interface and direction for rules with interface "
"'all' using SRC; v7"));
add( new setInterfaceAndDirectionByDst(
"Set interface and direction for rules with interface 'all' using DST; v7"));
"Set interface and direction for rules with interface "
"'all' using DST; v7"));
add(new setInterfaceAndDirectionIfInterfaceSet(
"Set direction for rules with interface not 'all'; v7"));
} else
@ -617,10 +620,12 @@ void PolicyCompiler_pix::compile()
add( new CheckForUnsupportedUserService("check for user service") );
add( new checkForZeroAddr( "check for zero addresses" ));
add( new checkVersionAndDynamicInterface(
"check for dynamic interfaces in policy rule and verify version of PIX OS"));
"check for dynamic interfaces in policy rule and verify "
"version of PIX OS"));
add( new splitIfTelnetSSHICMPtoFw(
"split rule if there are multiple objects in src and it controlls access to the firewall"));
"split rule if there are multiple objects in src and it "
"controlls access to the firewall"));
/* remove redundant objects only after all splits has been
* done, right before object groups are created
@ -652,17 +657,12 @@ void PolicyCompiler_pix::compile()
add( new createNewCompilerPass("Creating object groups and ACLs ..."));
//add( new printClearCommands("Clear ACLs and object groups"));
if (XMLTools::version_compare(vers, "8.3")>=0)
{
add( new createNamedObjectsForPolicy(
"create named objects", named_objects_manager));
}
//add( new printObjectGroups(
// "generate code for object groups", named_objects_manager));
add( new PrintRule("generate code for ACLs"));
add( new simplePrintProgress());

29
src/libfwbuilder/src/fwcompiler/Compiler.cpp
View File

@ -1240,6 +1240,35 @@ void Compiler::DropAddressFamilyInRE(RuleElement *rel, bool drop_ipv6)
rel->removeRef(*i);
}
bool Compiler::dropRuleWithEmptyRE::isREEmpty(Rule *rule,
const std::string &re_type)
{
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
return re->size()==0;
}
bool Compiler::dropRuleWithEmptyRE::processNext()
{
Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false;
if (PolicyRule::cast(rule) &&
(isREEmpty(rule, RuleElementSrc::TYPENAME) ||
isREEmpty(rule, RuleElementDst::TYPENAME))) return true;
if (NATRule::cast(rule) &&
(isREEmpty(rule, RuleElementOSrc::TYPENAME) ||
isREEmpty(rule, RuleElementODst::TYPENAME) ||
isREEmpty(rule, RuleElementOSrv::TYPENAME) ||
isREEmpty(rule, RuleElementTSrc::TYPENAME) ||
isREEmpty(rule, RuleElementTDst::TYPENAME) ||
isREEmpty(rule, RuleElementTSrv::TYPENAME))) return true;
tmp_queue.push_back(rule);
return true;
}
void Compiler::DropByServiceTypeInRE(RuleElement *rel, bool drop_ipv6)
{
list<FWObject*> objects_to_remove;

12
src/libfwbuilder/src/fwcompiler/Compiler.h
View File

@ -459,6 +459,18 @@ protected:
virtual bool processNext();
};
/**
* drop rules that have empty rule elements
*/
class dropRuleWithEmptyRE : public BasicRuleProcessor
{
bool isREEmpty(libfwbuilder::Rule *rule, const std::string &re_type);
public:
dropRuleWithEmptyRE(const std::string &name) : BasicRuleProcessor(name)
{ }
virtual bool processNext();
};
/**
* if MultiAddress object failed to convert itself to a group
* of addresses and compiler runs in a test mode, we use dummy

20
src/libfwbuilder/src/fwcompiler/NATCompiler.cpp
View File

@ -846,26 +846,6 @@ bool NATCompiler::DropRulesByAddressFamilyAndServiceType::processNext()
return true;
}
bool NATCompiler::dropRuleWithEmptyRE::processNext()
{
NATRule *rule = getNext(); if (rule==NULL) return false;
RuleElementOSrc *osrcrel = rule->getOSrc();
RuleElementODst *odstrel = rule->getODst();
RuleElementTSrc *tsrcrel = rule->getTSrc();
RuleElementTDst *tdstrel = rule->getTDst();
if ((osrcrel->size() == 0) || (odstrel->size() == 0)) return true;
if ((tsrcrel->size() == 0) || (tdstrel->size() == 0)) return true;
// Address *osrc = compiler->getFirstOSrc(rule);
// Address *odst = compiler->getFirstODst(rule);
// Address *tsrc = compiler->getFirstTSrc(rule);
// Address *tdst = compiler->getFirstTDst(rule);
// if (osrc!=NULL && odst!=NULL && tsrc!=NULL && tdst!=NULL)
// tmp_queue.push_back(rule);
tmp_queue.push_back(rule);
return true;
}
string NATCompiler::debugPrintRule(libfwbuilder::Rule *r)
{
NATRule *rule = NATRule::cast(r);

5
src/libfwbuilder/src/fwcompiler/NATCompiler.h
View File

@ -212,11 +212,6 @@ namespace fwcompiler {
DropRulesByAddressFamilyAndServiceType(n, true) {};
};
/**
* drop rules that have empty rule elements
*/
DECLARE_NAT_RULE_PROCESSOR(dropRuleWithEmptyRE);
/**
* deals with recursive groups in OSrc. See description for
* Compiler::recursiveGroupsInRE

14
src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp
View File

@ -1174,20 +1174,6 @@ bool PolicyCompiler::DropRulesByAddressFamilyAndServiceType::processNext()
return true;
}
bool PolicyCompiler::dropRuleWithEmptyRE::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
RuleElementSrc *srcrel=rule->getSrc();
RuleElementDst *dstrel=rule->getDst();
if ((srcrel->size() == 0) || (dstrel->size() == 0)) return true;
// Address *src = compiler->getFirstSrc(rule);
// Address *dst = compiler->getFirstDst(rule);
// if (src!=NULL && dst!=NULL) tmp_queue.push_back(rule);
tmp_queue.push_back(rule);
return true;
}
string PolicyCompiler::debugPrintRule(Rule *r)
{
PolicyRule *rule=PolicyRule::cast(r);

5
src/libfwbuilder/src/fwcompiler/PolicyCompiler.h
View File

@ -292,11 +292,6 @@ namespace fwcompiler {
DropRulesByAddressFamilyAndServiceType(n, true) {};
};
/**
* drop rules that have empty rule elements
*/
DECLARE_POLICY_RULE_PROCESSOR(dropRuleWithEmptyRE);
/**
* deals with recursive groups in Src. See description for
* Compiler::recursiveGroupsInRE