diff --git a/src/cisco_lib/NATCompiler_asa8.cpp b/src/cisco_lib/NATCompiler_asa8.cpp index 854954eec..d9e091e75 100644 --- a/src/cisco_lib/NATCompiler_asa8.cpp +++ b/src/cisco_lib/NATCompiler_asa8.cpp @@ -326,6 +326,10 @@ void NATCompiler_asa8::compile() add( new ExpandGroups("expand groups")); + /* + * We do not support ipv6 yet + */ + add( new DropIPv6Rules("drop ipv6 rules")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC")); diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp index ddf4d9ada..f83ac9f9f 100644 --- a/src/cisco_lib/NATCompiler_pix.cpp +++ b/src/cisco_lib/NATCompiler_pix.cpp @@ -1685,6 +1685,10 @@ void NATCompiler_pix::compile() add( new ExpandGroups("expand groups")); + /* + * We do not support ipv6 yet + */ + add( new DropIPv6Rules("drop ipv6 rules")); add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); add( new eliminateDuplicatesInOSRC("eliminate duplicates in OSRC")); diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp index bc9a84989..9178a3483 100644 --- a/src/cisco_lib/PolicyCompiler_pix.cpp +++ b/src/cisco_lib/PolicyCompiler_pix.cpp @@ -449,7 +449,8 @@ void PolicyCompiler_pix::compile() add( new printTotalNumberOfRules ( )); add( new ItfNegation( "process negation in Itf" )); - add( new InterfacePolicyRules("process interface policy rules and store interface ids")); + add( new InterfacePolicyRules("process interface policy rules and " + "store interface ids")); add( new recursiveGroupsInSrc( "check for recursive groups in SRC" )); add( new recursiveGroupsInDst( "check for recursive groups in DST" )); @@ -510,7 +511,8 @@ void PolicyCompiler_pix::compile() add( new expandGroupsInItf("expand groups in Interface" )); add( new replaceClusterInterfaceInItf( - "replace cluster interfaces with member interfaces in the Interface rule element")); + "replace cluster interfaces with member interfaces in " + "the Interface rule element")); add( new ItfNegation( "process negation in Itf" )); add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); @@ -518,6 +520,12 @@ void PolicyCompiler_pix::compile() if (XMLTools::version_compare(vers, "8.3")<0) add( new addressRanges("process address ranges" )); + /* + * We do not support ipv6 yet + */ + add( new DropIPv6Rules("drop ipv6 rules")); + add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); + if ( fwopt->getBool("pix_assume_fw_part_of_any")) { // Note that this splits the rule if Dst==any and one or more @@ -536,12 +544,7 @@ void PolicyCompiler_pix::compile() add( new separateSrcPort("split rules matching source ports")); add( new separateCustom("split rules matching custom services")); -// if (XMLTools::version_compare(vers, "8.0")<0) - add( new groupServicesByProtocol("split rules with different protocols")); -// else -// add( new groupTCPUDPServices( -// "split rules to keep TCP and UDP services separate " -// "from other protocols")); + add( new groupServicesByProtocol("split rules with different protocols")); add( new PrepareForICMPCmd("prepare for icmp command" )); @@ -567,15 +570,15 @@ void PolicyCompiler_pix::compile() add( new checkForUnnumbered( "check for unnumbered interfaces" )); - //add( new addressRanges("process address ranges" )); - if (outbound_acl_supported ) { // Call these after splitIfSrcMatchesFw and splitIfDstMatchesFw add( new setInterfaceAndDirectionBySrc( - "Set interface and direction for rules with interface 'all' using SRC; v7")); + "Set interface and direction for rules with interface " + "'all' using SRC; v7")); add( new setInterfaceAndDirectionByDst( - "Set interface and direction for rules with interface 'all' using DST; v7")); + "Set interface and direction for rules with interface " + "'all' using DST; v7")); add(new setInterfaceAndDirectionIfInterfaceSet( "Set direction for rules with interface not 'all'; v7")); } else @@ -617,10 +620,12 @@ void PolicyCompiler_pix::compile() add( new CheckForUnsupportedUserService("check for user service") ); add( new checkForZeroAddr( "check for zero addresses" )); add( new checkVersionAndDynamicInterface( - "check for dynamic interfaces in policy rule and verify version of PIX OS")); + "check for dynamic interfaces in policy rule and verify " + "version of PIX OS")); add( new splitIfTelnetSSHICMPtoFw( - "split rule if there are multiple objects in src and it controlls access to the firewall")); + "split rule if there are multiple objects in src and it " + "controlls access to the firewall")); /* remove redundant objects only after all splits has been * done, right before object groups are created @@ -652,17 +657,12 @@ void PolicyCompiler_pix::compile() add( new createNewCompilerPass("Creating object groups and ACLs ...")); - //add( new printClearCommands("Clear ACLs and object groups")); - if (XMLTools::version_compare(vers, "8.3")>=0) { add( new createNamedObjectsForPolicy( "create named objects", named_objects_manager)); } - //add( new printObjectGroups( - // "generate code for object groups", named_objects_manager)); - add( new PrintRule("generate code for ACLs")); add( new simplePrintProgress()); diff --git a/src/libfwbuilder/src/fwcompiler/Compiler.cpp b/src/libfwbuilder/src/fwcompiler/Compiler.cpp index 13f05b905..f2389f49f 100644 --- a/src/libfwbuilder/src/fwcompiler/Compiler.cpp +++ b/src/libfwbuilder/src/fwcompiler/Compiler.cpp @@ -1240,6 +1240,35 @@ void Compiler::DropAddressFamilyInRE(RuleElement *rel, bool drop_ipv6) rel->removeRef(*i); } +bool Compiler::dropRuleWithEmptyRE::isREEmpty(Rule *rule, + const std::string &re_type) +{ + RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); + return re->size()==0; +} + +bool Compiler::dropRuleWithEmptyRE::processNext() +{ + Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; + + if (PolicyRule::cast(rule) && + (isREEmpty(rule, RuleElementSrc::TYPENAME) || + isREEmpty(rule, RuleElementDst::TYPENAME))) return true; + + if (NATRule::cast(rule) && + (isREEmpty(rule, RuleElementOSrc::TYPENAME) || + isREEmpty(rule, RuleElementODst::TYPENAME) || + isREEmpty(rule, RuleElementOSrv::TYPENAME) || + isREEmpty(rule, RuleElementTSrc::TYPENAME) || + isREEmpty(rule, RuleElementTDst::TYPENAME) || + isREEmpty(rule, RuleElementTSrv::TYPENAME))) return true; + + tmp_queue.push_back(rule); + return true; +} + + + void Compiler::DropByServiceTypeInRE(RuleElement *rel, bool drop_ipv6) { list objects_to_remove; diff --git a/src/libfwbuilder/src/fwcompiler/Compiler.h b/src/libfwbuilder/src/fwcompiler/Compiler.h index ffcf311f4..fa1bec3bb 100644 --- a/src/libfwbuilder/src/fwcompiler/Compiler.h +++ b/src/libfwbuilder/src/fwcompiler/Compiler.h @@ -459,6 +459,18 @@ protected: virtual bool processNext(); }; + /** + * drop rules that have empty rule elements + */ + class dropRuleWithEmptyRE : public BasicRuleProcessor + { + bool isREEmpty(libfwbuilder::Rule *rule, const std::string &re_type); + public: + dropRuleWithEmptyRE(const std::string &name) : BasicRuleProcessor(name) + { } + virtual bool processNext(); + }; + /** * if MultiAddress object failed to convert itself to a group * of addresses and compiler runs in a test mode, we use dummy diff --git a/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp b/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp index b2fe6286c..614c2abc4 100644 --- a/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp +++ b/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp @@ -846,26 +846,6 @@ bool NATCompiler::DropRulesByAddressFamilyAndServiceType::processNext() return true; } -bool NATCompiler::dropRuleWithEmptyRE::processNext() -{ - NATRule *rule = getNext(); if (rule==NULL) return false; - RuleElementOSrc *osrcrel = rule->getOSrc(); - RuleElementODst *odstrel = rule->getODst(); - RuleElementTSrc *tsrcrel = rule->getTSrc(); - RuleElementTDst *tdstrel = rule->getTDst(); - if ((osrcrel->size() == 0) || (odstrel->size() == 0)) return true; - if ((tsrcrel->size() == 0) || (tdstrel->size() == 0)) return true; -// Address *osrc = compiler->getFirstOSrc(rule); -// Address *odst = compiler->getFirstODst(rule); -// Address *tsrc = compiler->getFirstTSrc(rule); -// Address *tdst = compiler->getFirstTDst(rule); -// if (osrc!=NULL && odst!=NULL && tsrc!=NULL && tdst!=NULL) -// tmp_queue.push_back(rule); - - tmp_queue.push_back(rule); - return true; -} - string NATCompiler::debugPrintRule(libfwbuilder::Rule *r) { NATRule *rule = NATRule::cast(r); diff --git a/src/libfwbuilder/src/fwcompiler/NATCompiler.h b/src/libfwbuilder/src/fwcompiler/NATCompiler.h index 622ba95f0..c16423d69 100644 --- a/src/libfwbuilder/src/fwcompiler/NATCompiler.h +++ b/src/libfwbuilder/src/fwcompiler/NATCompiler.h @@ -212,11 +212,6 @@ namespace fwcompiler { DropRulesByAddressFamilyAndServiceType(n, true) {}; }; - /** - * drop rules that have empty rule elements - */ - DECLARE_NAT_RULE_PROCESSOR(dropRuleWithEmptyRE); - /** * deals with recursive groups in OSrc. See description for * Compiler::recursiveGroupsInRE diff --git a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp index 911d68199..7b434dd00 100644 --- a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp +++ b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp @@ -1174,20 +1174,6 @@ bool PolicyCompiler::DropRulesByAddressFamilyAndServiceType::processNext() return true; } -bool PolicyCompiler::dropRuleWithEmptyRE::processNext() -{ - PolicyRule *rule = getNext(); if (rule==NULL) return false; - RuleElementSrc *srcrel=rule->getSrc(); - RuleElementDst *dstrel=rule->getDst(); - if ((srcrel->size() == 0) || (dstrel->size() == 0)) return true; -// Address *src = compiler->getFirstSrc(rule); -// Address *dst = compiler->getFirstDst(rule); -// if (src!=NULL && dst!=NULL) tmp_queue.push_back(rule); - tmp_queue.push_back(rule); - return true; -} - - string PolicyCompiler::debugPrintRule(Rule *r) { PolicyRule *rule=PolicyRule::cast(r); diff --git a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.h b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.h index c84b39097..9e65623b4 100644 --- a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.h +++ b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.h @@ -292,11 +292,6 @@ namespace fwcompiler { DropRulesByAddressFamilyAndServiceType(n, true) {}; }; - /** - * drop rules that have empty rule elements - */ - DECLARE_POLICY_RULE_PROCESSOR(dropRuleWithEmptyRE); - /** * deals with recursive groups in Src. See description for * Compiler::recursiveGroupsInRE