onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-01-14 06:52:45 +01:00
Code Issues Releases Wiki Activity

Feature: NX-OS support.

Browse Source
This commit is contained in:
Sirius Bakke 2013-06-27 10:29:23 +02:00
parent 7527dc1123
commit 897e77a333
58 changed files with 6652 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -34,6 +34,7 @@ qtdbus_test
fwbedit
qrc_MainRes.cpp
fwb_iosacl
fwb_nxosacl
fwb_ipf
fwb_ipfw
fwb_ipt

2
VERSION
View File

@ -14,6 +14,6 @@ VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"
GENERATION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION"
# Data format version
FWBUILDER_XML_VERSION=22
FWBUILDER_XML_VERSION=23

13
doc/README.nxosacl Normal file
View File

@ -0,0 +1,13 @@
Policy compiler for Cisco NXOS Access lists has been implemented as
part of the Firewall Builder GUI as of version 5.2.0.
Support for Cisco NXOS access lists in Firewall Builder v5.2.0, build 3600:
----------------------------------------------------------------
Features implemented in this version:
- The implementation is based on Cisco IOS Access lists with small modifications.
Support or Session Manager is added, and the rest should probably work as NXOS
is quite similar to IOS. More extended testing is needed to find bugs and
differences.

83
src/cisco_lib/AutomaticRules_nxosacl.cpp Normal file
View File

@ -0,0 +1,83 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "AutomaticRules_nxosacl.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include <QString>
using namespace fwcompiler;
using namespace libfwbuilder;
using namespace std;
void AutomaticRules_nxosacl::addSshAccessRule()
{
if (ruleset == NULL) return;
FWOptions *fwopt = fw->getOptionsObject();
if (fwopt->getBool("mgmt_ssh") && ! fwopt->getStr("mgmt_addr").empty())
{
AutomaticRules_cisco::addSshAccessRule();
/*
* AutomaticRules_cisco::addDefaultPolicyRule() adds a rule to
* permit backup ssh access to the firewall. Since NXOS ACL are
* stateless, we need to add another rule to permit reply
* packets.
*/
TCPService *ssh_rev = ruleset->getRoot()->createTCPService();
ssh_rev->setSrcRangeStart(22);
ssh_rev->setSrcRangeEnd(22);
persistent_objects->add(ssh_rev, false);
Network *mgmt_workstation = ruleset->getRoot()->createNetwork();
mgmt_workstation->setAddressNetmask(fwopt->getStr("mgmt_addr"));
persistent_objects->add(mgmt_workstation, false);
addMgmtRule(
fw, mgmt_workstation, ssh_rev,
NULL, PolicyRule::Outbound, PolicyRule::Accept,
"backup ssh access rule (out)");
}
}

57
src/cisco_lib/AutomaticRules_nxosacl.h Normal file
View File

@ -0,0 +1,57 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __AUTOMATICRULES_NXOSACL_HH__
#define __AUTOMATICRULES_NXOSACL_HH__
#include "AutomaticRules_cisco.h"
namespace libfwbuilder
{
class Address;
class Firewall;
class Interface;
class Service;
};
namespace fwcompiler
{
class AutomaticRules_nxosacl : public AutomaticRules_cisco
{
public:
AutomaticRules_nxosacl(libfwbuilder::Firewall *fw,
libfwbuilder::Library *presistent_objects) :
AutomaticRules_cisco(fw, presistent_objects) {}
void addSshAccessRule();
};
};
#endif

238
src/cisco_lib/CompilerDriver_nxosacl.cpp Normal file
View File

@ -0,0 +1,238 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include <fstream>
#include <iostream>
#include <algorithm>
#include <functional>
#include <stdexcept>
#include <assert.h>
#include <string>
#include <cstring>
#include <iomanip>
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "Configlet.h"
#include "CompilerDriver_nxosacl.h"
#include "PolicyCompiler_nxosacl.h"
#include "ACL.h"
#include "BaseObjectGroup.h"
#include "NamedObjectsAndGroupsSupport.h"
#include <QString>
#include <QFileInfo>
#include <QDir>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
#ifdef _WIN32
string fs_separator = "\\";
#else
string fs_separator = "/";
#endif
CompilerDriver_nxosacl::CompilerDriver_nxosacl(FWObjectDatabase *db) :
CompilerDriver(db)
{
safety_net_install_option_name = "nxosacl_acl_substitution";
safety_net_install_acl_addr_option_name = "nxosacl_acl_temp_addr";
}
// create a copy of itself, including objdb
CompilerDriver* CompilerDriver_nxosacl::clone()
{
CompilerDriver_nxosacl* new_cd = new CompilerDriver_nxosacl(objdb);
if (inEmbeddedMode()) new_cd->setEmbeddedMode();
return new_cd;
}
void CompilerDriver_nxosacl::printProlog(QTextStream &file, const string &prolog_code)
{
file << endl;
file << "#" << endl;
file << "# Prolog script" << endl;
file << "#" << endl;
file << prolog_code << endl;
file << "#" << endl;
file << "# End of prolog script" << endl;
file << "#" << endl;
}
string CompilerDriver_nxosacl::safetyNetInstall(Firewall *fw)
{
ostringstream output;
if ( fw->getOptionsObject()->getBool(safety_net_install_option_name) )
{
/* Generate short temporary ACL and assign it to all
* interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500)
as well as ssh from given subnet to any.
*/
string temp_acl_addr = fw->getOptionsObject()->getStr(
safety_net_install_acl_addr_option_name);
if (temp_acl_addr.empty())
{
QString err = QObject::tr("Missing address for management host or subnet "
"for the temporary ACL.\nPlease enter it in the "
"tab 'Script options' in 'Firewall Settings' dialog");
abort(fw, NULL, NULL, err.toStdString());
}
// if templ_acl_addr is ipv4 address, then we can not create this
// temporary ACL while compiling ipv6 policy. And vice versa.
bool create_temp_acl = false;
bool tmp_acl_ipv6 = false;
if (temp_acl_addr.find(":")!=string::npos)
{
//looks like ipv6
create_temp_acl = true;
tmp_acl_ipv6 = true;
} else
{
// not ipv6, assume ipv4
create_temp_acl = true;
tmp_acl_ipv6 = false;
}
if (create_temp_acl)
{
string::size_type slash_idx = temp_acl_addr.find('/');
string addr = temp_acl_addr;
string netmask = "255.255.255.255";
bool tmp_acl_v6 = false;
// check if addr is v6
try
{
InetAddr addrv6(AF_INET6, temp_acl_addr);
tmp_acl_v6 = true;
} catch(FWException &ex)
{
// Assume cnf->maddr is ipv4
if (slash_idx!=string::npos)
{
addr = temp_acl_addr.substr(0,slash_idx);
netmask = temp_acl_addr.substr(slash_idx+1);
try
{
if (netmask.find(".")!=string::npos)
{
InetAddr nm(netmask);
nm.getLength(); // to avoid warning abt unused var
} else
{
int nm_length;
istringstream str(netmask);
str >> nm_length;
InetAddr nm(nm_length);
netmask = nm.toString();
}
} catch(FWException &ex)
{
QString err = QObject::tr("Invalid netmask for management subnet: "
"'%1'").arg(netmask.c_str());
abort(fw, NULL, NULL, err.toStdString());
}
}
try
{
InetAddr a(addr);
a.isAny();
} catch(FWException &ex)
{
QString err = QObject::tr("Invalid address for management subnet: "
"'%1'").arg(addr.c_str());
abort(fw, NULL, NULL, err.toStdString());
}
}
Configlet configlet(fw, "cisco", "safety_net_acl");
configlet.collapseEmptyStrings(true);
if (tmp_acl_v6)
{
configlet.setVariable("ipv4", false);
configlet.setVariable("ipv6", true);
configlet.setVariable("slash_notation", slash_idx!=string::npos);
configlet.setVariable("host_addr", slash_idx==string::npos);
configlet.setVariable("management_addr", addr.c_str());
configlet.setVariable("management_netm", "");
} else
{
InetAddr nnm( ~(InetAddr(netmask)) );
configlet.setVariable("ipv4", true);
configlet.setVariable("ipv6", false);
configlet.setVariable("management_addr", addr.c_str());
configlet.setVariable("management_netm", nnm.toString().c_str());
}
// find management interface
list<FWObject*> ll = fw->getByType(Interface::TYPENAME);
for (FWObject::iterator i=ll.begin(); i!=ll.end(); i++)
{
Interface *intf = Interface::cast( *i );
if (intf->isManagement())
{
configlet.setVariable("management_interface",
intf->getName().c_str());
FWOptions *ifopt = intf->getOptionsObject();
string itype = ifopt->getStr("type");
configlet.setVariable("management_interface_is_vlan",
(itype == "8021q"));
configlet.setVariable("management_interface_is_not_vlan",
(itype != "8021q"));
if (itype == "8021q")
configlet.setVariable("management_interface_vlan_id",
ifopt->getInt("vlan_id"));
else
configlet.setVariable("management_interface_vlan_id", "");
break;
}
}
output << configlet.expand().toStdString();
output << endl;
}
}
return output.str();
}

89
src/cisco_lib/CompilerDriver_nxosacl.h Normal file
View File

@ -0,0 +1,89 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __COMPILER_DRIVER_NXOSACL_HH__
#define __COMPILER_DRIVER_NXOSACL_HH__
#include "CompilerDriver.h"
#include <string>
#include <sstream>
#include <QTextStream>
namespace libfwbuilder {
class FWObjectDatabase;
class Cluster;
class ClusterGroup;
class Firewall;
class RuleSet;
class Interface;
};
namespace fwcompiler {
class ciscoACL;
class NamedObjectsManager;
class CompilerDriver_nxosacl : public CompilerDriver
{
protected:
std::string system_configuration_script;
std::string nat_script;
std::string policy_script;
std::string routing_script;
std::string safety_net_install_option_name;
std::string safety_net_install_acl_addr_option_name;
std::string safetyNetInstall(libfwbuilder::Firewall *fw);
void printProlog(QTextStream &file, const std::string &prolog_code);
virtual QString assembleManifest(libfwbuilder::Cluster *cluster,
libfwbuilder::Firewall* fw,
bool cluster_member);
virtual QString printActivationCommands(libfwbuilder::Firewall *fw);
virtual QString assembleFwScript(libfwbuilder::Cluster *cluster,
libfwbuilder::Firewall* fw,
bool cluster_member,
OSConfigurator *ocsnf);
public:
CompilerDriver_nxosacl(libfwbuilder::FWObjectDatabase *db);
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
virtual QString run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id);
};
};
#endif

432
src/cisco_lib/CompilerDriver_nxosacl_run.cpp Normal file
View File

@ -0,0 +1,432 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include <fstream>
#include <iostream>
#include <algorithm>
#include <functional>
#include <stdexcept>
#include <memory>
#include <assert.h>
#include <cstring>
#include <iomanip>
#include "CompilerDriver_nxosacl.h"
#include "AutomaticRules_nxosacl.h"
#include "PolicyCompiler_nxosacl.h"
#include "RoutingCompiler_nxosacl.h"
#include "OSConfigurator_nxos.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "NamedObjectsManagerNXOS.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/XMLTools.h"
#include "fwcompiler/Preprocessor.h"
#include <QStringList>
#include <QFileInfo>
#include <QFile>
#include <QTextStream>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
QString CompilerDriver_nxosacl::assembleManifest(Cluster *, Firewall* , bool )
{
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script << "!" << MANIFEST_MARKER
<< "* " << this->escapeFileName(file_names[FW_FILE]) << endl;
return script_buffer;
}
QString CompilerDriver_nxosacl::printActivationCommands(Firewall*)
{
return "";
}
QString CompilerDriver_nxosacl::assembleFwScript(Cluster *cluster,
Firewall *fw,
bool cluster_member,
OSConfigurator *oscnf)
{
Configlet script_skeleton(fw, "cisco", "script_skeleton");
Configlet top_comment(fw, "cisco", "top_comment");
script_skeleton.setVariable("system_configuration_script",
QString::fromUtf8(system_configuration_script.c_str()));
script_skeleton.setVariable("policy_script",
QString::fromUtf8(policy_script.c_str()));
script_skeleton.setVariable("nat_script",
QString::fromUtf8(nat_script.c_str()));
script_skeleton.setVariable("routing_script",
QString::fromUtf8(routing_script.c_str()));
FWOptions* options = fw->getOptionsObject();
options->setStr("prolog_script", options->getStr("nxosacl_prolog_script"));
options->setStr("epilog_script", options->getStr("nxosacl_epilog_script"));
// we do not offer user a choice of the place where to put prolog
// lines, therefore we can reset this attribute to make sure it
// does not interfere
options->setStr("prolog_place", "");
assembleFwScriptInternal(cluster, fw, cluster_member,
oscnf, &script_skeleton, &top_comment, "!", true);
return script_skeleton.expand();
}
QString CompilerDriver_nxosacl::run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
Firewall *fw = NULL;
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
try
{
clearReadOnly(fw);
// Copy rules from the cluster object
populateClusterElements(cluster, fw);
commonChecks2(cluster, fw);
// Note that fwobjectname may be different from the name of the
// firewall fw This happens when we compile a member of a cluster
current_firewall_name = fw->getName().c_str();
determineOutputFileNames(cluster, fw, !cluster_id.empty(),
QStringList(""), QStringList("fw"),
QStringList(""));
/* Now that all checks are done, we can drop copies of cluster
* interfaces that were added to the firewall by
* CompilerDriver::populateClusterElements()
*/
list<FWObject*> all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
list<FWObject*> copies_of_cluster_interfaces;
for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i)
{
Interface *iface = Interface::cast(*i);
assert(iface);
if (iface->getOptionsObject()->getBool("cluster_interface"))
copies_of_cluster_interfaces.push_back(iface);
}
while (copies_of_cluster_interfaces.size())
{
fw->remove(copies_of_cluster_interfaces.front());
copies_of_cluster_interfaces.pop_front();
}
FWOptions* options = fw->getOptionsObject();
string fwvers = fw->getStr("version");
if (fwvers == "") fw->setStr("version", "12.1");
if (fwvers == "12.x") fw->setStr("version", "12.1");
string platform = fw->getStr("platform");
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + fwvers + "/nxosacl_commands/clear_ip_acl");
if (clearACLCmd.empty())
{
// incorrect version. This could have happened if user converted
// firewall platform. See bug #2662290
fw->setStr("version", "12.1");
}
bool nxos_acl_basic = options->getBool("nxos_acl_basic");
bool nxos_acl_no_clear = options->getBool("nxos_acl_no_clear");
bool nxos_acl_substitution = options->getBool("nxos_acl_substitution");
bool nxos_add_clear_statements = options->getBool("nxos_add_clear_statements");
if ( !nxos_acl_basic &&
!nxos_acl_no_clear &&
!nxos_acl_substitution )
{
if ( nxos_add_clear_statements ) options->setBool("nxos_acl_basic",true);
else options->setBool("nxos_acl_no_clear",true);
}
std::auto_ptr<OSConfigurator_nxos> oscnf(new OSConfigurator_nxos(objdb, fw, false));
oscnf->prolog();
oscnf->processFirewallOptions();
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
try
{
AutomaticRules_nxosacl auto_rules(fw, persistent_objects);
auto_rules.addSshAccessRule();
} catch (FWException &ex)
{
abort(ex.toString());
}
// assign unique rule ids that later will be used to generate
// chain names. This should be done after calls to
// findImportedRuleSets()
// NB: these ids are not used by this compiler
assignUniqueRuleIds(all_policies);
vector<int> ipv4_6_runs;
if (!single_rule_compile_on)
system_configuration_script = safetyNetInstall(fw);
NamedObjectsManagerNXOS named_objects_manager(persistent_objects, fw);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
// be generated. If "-6" is used, only ipv6 part will be generated.
// If neither is used, both parts will be done.
if (options->getStr("ipv4_6_order").empty() ||
options->getStr("ipv4_6_order") == "ipv4_first")
{
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
if (ipv6_run) ipv4_6_runs.push_back(AF_INET6);
}
if (options->getStr("ipv4_6_order") == "ipv6_first")
{
if (ipv6_run) ipv4_6_runs.push_back(AF_INET6);
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
}
string clear_commands;
string object_groups_definitions;
for (vector<int>::iterator i=ipv4_6_runs.begin();
i!=ipv4_6_runs.end(); ++i)
{
int policy_af = *i;
bool ipv6_policy = (policy_af == AF_INET6);
// Count rules for each address family
int policy_count = 0;
for (list<FWObject*>::iterator p=all_policies.begin();
p!=all_policies.end(); ++p)
{
Policy *policy = Policy::cast(*p);
if (policy->matchingAddressFamily(policy_af)) policy_count++;
}
if (policy_count)
{
std::auto_ptr<Preprocessor> prep(new Preprocessor(objdb, fw, false));
if (inTestMode()) prep->setTestMode();
if (inEmbeddedMode()) prep->setEmbeddedMode();
prep->compile();
}
for (list<FWObject*>::iterator p=all_policies.begin();
p!=all_policies.end(); ++p )
{
Policy *policy = Policy::cast(*p);
if (!policy->matchingAddressFamily(policy_af)) continue;
PolicyCompiler_nxosacl c(objdb, fw, ipv6_policy, oscnf.get());
c.setNamedObjectsManager(&named_objects_manager);
c.setSourceRuleSet( policy );
c.setRuleSetName(policy->getName());
c.setPersistentObjects(persistent_objects);
c.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) c.setTestMode();
if (inEmbeddedMode()) c.setEmbeddedMode();
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
c.setVerbose( verbose );
if ( c.prolog() > 0 )
{
c.compile();
c.epilog();
if (!single_rule_compile_on)
{
if (ipv6_policy)
{
policy_script += "\n\n";
policy_script += "! ================ IPv6\n";
policy_script += "\n\n";
} else
{
policy_script += "\n\n";
policy_script += "! ================ IPv4\n";
policy_script += "\n\n";
}
}
if (c.haveErrorsAndWarnings())
{
all_errors.push_back(c.getErrors("").c_str());
}
policy_script += c.getCompiledScript();
clear_commands += c.printClearCommands();
//named_objects_manager.saveObjectGroups();
} else
info(" Nothing to compile in Policy");
}
if (!ipv6_policy)
{
list<FWObject*> all_routing = fw->getByType(Routing::TYPENAME);
RuleSet *routing = RuleSet::cast(all_routing.front());
// currently routing is supported only for ipv4
RoutingCompiler_nxosacl r(objdb, fw, false, oscnf.get());
r.setNamedObjectsManager(&named_objects_manager);
r.setSourceRuleSet(routing);
r.setRuleSetName(routing->getName());
r.setPersistentObjects(persistent_objects);
r.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) r.setTestMode();
if (inEmbeddedMode()) r.setEmbeddedMode();
r.setDebugLevel( dl );
if (rule_debug_on) r.setDebugRule( drp );
r.setVerbose( verbose );
if ( r.prolog() > 0 )
{
r.compile();
r.epilog();
if (r.haveErrorsAndWarnings())
{
all_errors.push_back(r.getErrors("").c_str());
}
routing_script += r.getCompiledScript();
} else
info(" Nothing to compile in Routing");
}
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());
}
object_groups_definitions +=
named_objects_manager.getNamedObjectsDefinitions();
if (single_rule_compile_on)
{
return formSingleRuleCompileOutput(
QString::fromUtf8(
(object_groups_definitions +
policy_script + routing_script).c_str()));
}
if ( fw->getOptionsObject()->getBool("nxosacl_acl_basic") ||
fw->getOptionsObject()->getBool("nxosacl_acl_substitution"))
{
clear_commands += named_objects_manager.getClearCommands() + "\n";
}
system_configuration_script += clear_commands;
system_configuration_script += object_groups_definitions;
QString script_buffer = assembleFwScript(
cluster, fw, !cluster_id.empty(), oscnf.get());
QString ofname = getAbsOutputFileName(file_names[FW_FILE]);
info("Output file name: " + ofname.toStdString());
QFile fw_file(ofname);
if (fw_file.open(QIODevice::WriteOnly))
{
QTextStream fw_str(&fw_file);
fw_str << script_buffer;
fw_file.close();
fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner |
QFile::ReadGroup | QFile::ReadOther |
QFile::ExeOwner |
QFile::ExeGroup |
QFile::ExeOther );
info(" Compiled successfully");
} else
{
QString err(" Failed to open file %1 for writing: %2; Current dir: %3");
abort(err.arg(fw_file.fileName())
.arg(fw_file.error()).arg(QDir::current().path()).toStdString());
}
if (!all_errors.isEmpty())
status = BaseCompiler::FWCOMPILER_WARNING;
}
catch (FWException &ex)
{
status = BaseCompiler::FWCOMPILER_ERROR;
return QString::fromUtf8(ex.toString().c_str());
}
return "";
}

150
src/cisco_lib/NXOSObjectGroup.cpp Normal file
View File

@ -0,0 +1,150 @@
/*
Firewall Builder
Copyright (C) 2002 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "NXOSObjectGroup.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include <iostream>
#include <sstream>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
const char *NXOSObjectGroup::TYPENAME={"NXOSObjectGroup"};
QString NXOSObjectGroup::groupMemberToString(FWObject *obj,
NamedObjectsManager*)
throw(libfwbuilder::FWException)
{
ostringstream ostr;
switch (getObjectGroupType())
{
case NETWORK:
{
Address *a = Address::cast(obj);
assert(a!=NULL);
if (AddressRange::cast(a))
{
const InetAddr &start = AddressRange::cast(a)->getRangeStart();
const InetAddr &end = AddressRange::cast(a)->getRangeEnd();
ostr << "range " << start.toString() << " " << end.toString();
} else
{
const InetAddr *addr = a->getAddressPtr();
if (Network::cast(obj)!=NULL)
{
const InetAddr *mask = a->getNetmaskPtr();
// Note: the syntax is "A.B.C.D /NN" (there must be space before /)
ostr << addr->toString() << " /" << mask->getLength();
} else {
ostr << "host " << addr->toString();
}
}
break;
}
case PROTO:
{
Service *s = Service::cast(obj);
assert(s!=NULL);
ostr << s->getProtocolNumber();
break;
}
case ICMP_TYPE:
{
ostr << "icmp ";
ICMPService *s = ICMPService::cast(obj);
assert(s!=NULL);
if ( s->getInt("type")== -1) ostr << "";
else ostr << s->getInt("type");
break;
}
case TCP_SERVICE:
case UDP_SERVICE:
{
if (getObjectGroupType()==TCP_SERVICE) ostr << "tcp ";
else ostr << "udp ";
TCPUDPService *s = TCPUDPService::cast(obj);
assert(s!=NULL);
int rs = s->getDstRangeStart();
int re = s->getDstRangeEnd();
if (rs<0) rs = 0;
if (re<0) re = 0;
if (rs>0 || re>0) {
if (rs==re) ostr << "eq " << rs;
else ostr << "range " << rs << " " << re;
}
else ostr << "range 0 65535";
break;
}
default:
throw FWException("Unknown object group type");
}
return ostr.str().c_str();
}
string NXOSObjectGroup::getObjectGroupClass()
{
switch (this->getObjectGroupType())
{
case NETWORK: return "network";
case PROTO:
case ICMP_TYPE:
case TCP_SERVICE:
case UDP_SERVICE: return "service";
default: throw FWException("Unknown object group type");
}
}
string NXOSObjectGroup::getObjectGroupHeader()
{
ostringstream ostr;
ostr << "object-group " << getObjectGroupClass() << " " << this->getName();
return ostr.str();
}
string NXOSObjectGroup::getObjectGroupFooter()
{
return "exit";
}

52
src/cisco_lib/NXOSObjectGroup.h Normal file
View File

@ -0,0 +1,52 @@
/*
Firewall Builder
Copyright (C) 2002 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __NXOSOBJECTGROUP_HH
#define __NXOSOBJECTGROUP_HH
#include "BaseObjectGroup.h"
namespace fwcompiler {
class NXOSObjectGroup : public BaseObjectGroup
{
public:
NXOSObjectGroup() : BaseObjectGroup() { }
virtual ~NXOSObjectGroup() {};
DECLARE_FWOBJECT_SUBTYPE(NXOSObjectGroup);
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string getObjectGroupFooter();
virtual QString groupMemberToString(
libfwbuilder::FWObject *obj, NamedObjectsManager *named_obj_manager)
throw(libfwbuilder::FWException);
};
}
#endif

9
src/cisco_lib/NamedObjectsManager.cpp
View File

@ -29,6 +29,7 @@
#include "PIXObjectGroup.h"
#include "ASA8ObjectGroup.h"
#include "IOSObjectGroup.h"
#include "NXOSObjectGroup.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/AddressTable.h"
@ -63,6 +64,12 @@ using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
FWObject* create_NXOSObjectGroup(int id)
{
FWObject *nobj = new NXOSObjectGroup();
if (id > -1) nobj->setId(id);
return nobj;
}
FWObject* create_IOSObjectGroup(int id)
{
@ -102,6 +109,8 @@ NamedObjectsManager::NamedObjectsManager(Library *persistent_objects,
BaseObjectGroup::name_disambiguation.clear();
NamedObject::name_disambiguation.clear();
FWObjectDatabase::registerObjectType(NXOSObjectGroup::TYPENAME,
&create_NXOSObjectGroup);
FWObjectDatabase::registerObjectType(IOSObjectGroup::TYPENAME,
&create_IOSObjectGroup);
FWObjectDatabase::registerObjectType(PIXObjectGroup::TYPENAME,

67
src/cisco_lib/NamedObjectsManagerNXOS.cpp Normal file
View File

@ -0,0 +1,67 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "NamedObjectsManagerNXOS.h"
#include "NamedObject.h"
#include "BaseObjectGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Library.h"
#include <sstream>
#include <assert.h>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
NamedObjectsManagerNXOS::NamedObjectsManagerNXOS(Library *po, Firewall *fw) :
NamedObjectsManager(po, fw)
{
}
NamedObjectsManagerNXOS::~NamedObjectsManagerNXOS()
{
}
string NamedObjectsManagerNXOS::getClearCommands()
{
ostringstream output;
FWObject *object_groups = getObjectGroupsGroup();
for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
output << "no " << og->getObjectGroupHeader() << endl;
}
return output.str();
}

54
src/cisco_lib/NamedObjectsManagerNXOS.h Normal file
View File

@ -0,0 +1,54 @@
/*
Firewall Builder
Copyright (C) 2010-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _NAMED_OBJECTS_MANAGER_NXOS_HH
#define _NAMED_OBJECTS_MANAGER_NXOS_HH
#include "config.h"
#include "NamedObjectsManager.h"
namespace libfwbuilder
{
class Group;
class Firewall;
class Library;
};
namespace fwcompiler
{
class NamedObjectsManagerNXOS : public NamedObjectsManager
{
public:
NamedObjectsManagerNXOS(libfwbuilder::Library *persistent_objects,
libfwbuilder::Firewall *_fw);
virtual ~NamedObjectsManagerNXOS();
virtual std::string getClearCommands();
};
}
#endif

233
src/cisco_lib/OSConfigurator_nxos.cpp Normal file
View File

@ -0,0 +1,233 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "OSConfigurator_nxos.h"
#include "Helper.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include <list>
#include <algorithm>
#include <functional>
#include <assert.h>
#include <iostream>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
string OSConfigurator_nxos::myPlatformName() { return "nxos"; }
int OSConfigurator_nxos::prolog()
{
string host_os = fw->getStr("host_OS");
if (host_os!="nxos")
abort("Unsupported OS " + host_os );
return Compiler::prolog();
}
void OSConfigurator_nxos::processFirewallOptions()
{
// FWOptions* options=fw->getOptionsObject();
string s;
// int i;
string version = fw->getStr("version");
string platform = fw->getStr("platform");
if ( fw->getOptionsObject()->getBool("nxos_set_host_name") )
{
output << "hostname " << fw->getName() << endl;
output << endl;
}
output << _printNameif();
output << endl;
output << _printIPAddress();
output << endl;
output << _printLogging();
output << endl;
}
string OSConfigurator_nxos::_printNameif()
{
ostringstream res;
string version = fw->getStr("version");
string platform = fw->getStr("platform");
string::size_type n;
list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface=dynamic_cast<Interface*>(*i);
assert(iface);
string nameifCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/version_")+
version+"/nxos_commands/nameif");
if ((n = nameifCmd.find("%il"))!=string::npos)
nameifCmd.replace(n,3,iface->getLabel());
if ((n = nameifCmd.find("%in"))!=string::npos)
nameifCmd.replace(n,3,iface->getName());
res << nameifCmd;
}
res << endl;
return res.str();
}
string OSConfigurator_nxos::_printIPAddress()
{
ostringstream res;
string version = fw->getStr("version");
string platform = fw->getStr("platform");
string setAddrCmd;
string::size_type n;
if ( fw->getOptionsObject()->getBool("nxos_ip_address") )
{
list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface=dynamic_cast<Interface*>(*i);
assert(iface);
if (iface->isDyn())
{
setAddrCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/version_")+
version+"/nxos_commands/ip_addr_dyn");
}
else
{
if (iface->isUnnumbered())
{
setAddrCmd = "";
} else
{
setAddrCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/version_")+
version+"/nxos_commands/ip_addr_static");
}
}
if ((n = setAddrCmd.find("%il"))!=string::npos)
setAddrCmd.replace(n,3,iface->getLabel());
if ((n = setAddrCmd.find("%in"))!=string::npos)
setAddrCmd.replace(n,3,iface->getName());
if ((n = setAddrCmd.find("%a"))!=string::npos)
setAddrCmd.replace(n,2,iface->getAddressPtr()->toString());
if ((n = setAddrCmd.find("%n"))!=string::npos)
setAddrCmd.replace(n,2,iface->getNetmaskPtr()->toString());
res << setAddrCmd;
}
}
res << endl;
return res.str();
}
string OSConfigurator_nxos::_printLogging()
{
Helper helper(this);
ostringstream str;
bool logging_on=false;
bool nxosacl_generate_logging_commands = fw->getOptionsObject()->getBool(
"nxosacl_generate_logging_commands");
if (nxosacl_generate_logging_commands)
{
string syslog_host = fw->getOptionsObject()->getStr("nxosacl_syslog_host");
string syslog_facility= fw->getOptionsObject()->getStr("nxosacl_syslog_facility");
string trap_level= fw->getOptionsObject()->getStr("nxosacl_logging_trap_level");
bool buffered = fw->getOptionsObject()->getBool("nxosacl_logging_buffered");
string buffered_level = fw->getOptionsObject()->getStr("nxosacl_logging_buffered_level");
bool console = fw->getOptionsObject()->getBool("nxosacl_logging_console");
string console_level = fw->getOptionsObject()->getStr("nxosacl_logging_console_level");
bool timestamp = fw->getOptionsObject()->getBool("nxosacl_logging_timestamp");
if ( ! timestamp ) str << "no ";
str << "service timestamp log datetime localtime" << endl;
if ( ! syslog_host.empty() )
{
str << endl;
str << "logging host " << syslog_host << endl;
if ( ! syslog_facility.empty() )
str << "logging facility " << syslog_facility << endl;
if ( ! trap_level.empty() )
str << "logging trap " << trap_level << endl;
logging_on=true;
}
if ( ! buffered ) str << "no logging buffered" << endl;
else
{
str << "logging buffered " << buffered_level << endl;
logging_on=true;
}
if ( ! console ) str << "no logging console" << endl;
else
{
str << "logging console " << console_level << endl;
logging_on=true;
}
str << endl;
}
return str.str();
}
void OSConfigurator_nxos::addVirtualAddressForNAT(const Address*)
{
}
void OSConfigurator_nxos::addVirtualAddressForNAT(const Network*)
{
}

60
src/cisco_lib/OSConfigurator_nxos.h Normal file
View File

@ -0,0 +1,60 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _OSNETWORKCONFIGURATOR_NXOS_HH
#define _OSNETWORKCONFIGURATOR_NXOS_HH
#include "config.h"
#include "fwcompiler/OSConfigurator.h"
#include <map>
namespace fwcompiler {
class OSConfigurator_nxos : public OSConfigurator {
std::string _printNameif();
std::string _printIPAddress();
std::string _printLogging();
public:
virtual ~OSConfigurator_nxos() {};
OSConfigurator_nxos(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) {}
virtual int prolog();
virtual std::string myPlatformName();
virtual void processFirewallOptions();
virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr);
virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw);
};
};
#endif

521
src/cisco_lib/PolicyCompiler_nxosacl.cpp Normal file
View File

@ -0,0 +1,521 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "PolicyCompiler_nxosacl.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/ObjectMirror.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include <assert.h>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
string PolicyCompiler_nxosacl::myPlatformName() { return "nxosacl"; }
PolicyCompiler_nxosacl::PolicyCompiler_nxosacl(FWObjectDatabase *_db,
Firewall *fw,
bool ipv6_policy,
OSConfigurator *_oscnf) :
PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf)
{
resetinbound = false;
fragguard = false;
comment_symbol = "!";
}
int PolicyCompiler_nxosacl::prolog()
{
string version = fw->getStr("version");
string platform = fw->getStr("platform");
string host_os = fw->getStr("host_OS");
if (platform!="nxosacl")
abort("Unsupported platform " + platform );
fw->getOptionsObject()->setBool("generate_out_acl", true);
fw->getOptionsObject()->setBool(
"use_acl_remarks",
fw->getOptionsObject()->getBool("nxosacl_use_acl_remarks"));
// object_groups = new Group();
// persistent_objects->add( object_groups );
setAllNetworkZonesToNone();
return PolicyCompiler::prolog();
}
bool PolicyCompiler_nxosacl::checkForDynamicInterface::findDynamicInterface(
PolicyRule *rule, RuleElement *rel)
{
string vers=compiler->fw->getStr("version");
for (list<FWObject*>::iterator i1=rel->begin(); i1!=rel->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Interface *iface=Interface::cast(obj);
if (iface!=NULL && iface->isDyn())
compiler->abort(
rule,
"Dynamic interface can not be used in the NXOS ACL rules.");
}
return true;
}
bool PolicyCompiler_nxosacl::checkForDynamicInterface::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
findDynamicInterface(rule,rule->getSrc());
findDynamicInterface(rule,rule->getDst());
tmp_queue.push_back(rule);
return true;
}
/*
* Copy all references from rule element re1 to rule element re2.
*/
void PolicyCompiler_nxosacl::mirrorRule::duplicateRuleElement(
RuleElement *re1, RuleElement *re2)
{
re2->clearChildren();
for (list<FWObject*>::iterator i1=re1->begin(); i1!=re1->end(); ++i1)
{
FWObject *obj = FWReference::getObject(*i1);
re2->addRef(obj);
}
}
bool PolicyCompiler_nxosacl::mirrorRule::processNext()
{
//PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast<PolicyCompiler_nxosacl*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
if (rule->getOptionsObject()->getBool("nxosacl_add_mirror_rule"))
{
PolicyRule *r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setAction(rule->getAction());
switch (rule->getDirection())
{
case PolicyRule::Inbound: r->setDirection(PolicyRule::Outbound); break;
case PolicyRule::Outbound: r->setDirection(PolicyRule::Inbound); break;
default: r->setDirection(PolicyRule::Both); break;
}
RuleElementSrc *osrc = rule->getSrc();
RuleElementDst *odst = rule->getDst();
RuleElementSrv *osrv = rule->getSrv();
RuleElementItf *oitf = rule->getItf();
RuleElementSrc *nsrc = r->getSrc();
RuleElementDst *ndst = r->getDst();
RuleElementSrv *nsrv = r->getSrv();
RuleElementItf *nitf = r->getItf();
duplicateRuleElement(osrc, ndst);
duplicateRuleElement(odst, nsrc);
duplicateRuleElement(oitf, nitf);
if (!osrv->isAny())
{
ObjectMirror mirror;
nsrv->clearChildren();
for (list<FWObject*>::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1)
{
Service *nobj = mirror.getMirroredService(
Service::cast(FWReference::getObject(*i1)));
if (nobj->getParent() == NULL)
compiler->persistent_objects->add(nobj, false);
nsrv->addRef(nobj);
}
}
tmp_queue.push_back(r);
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_nxosacl::SpecialServices::processNext()
{
//PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast<PolicyCompiler_nxosacl*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Service *s = compiler->getFirstSrv(rule);
if (IPService::cast(s)!=NULL)
{
if (s->getBool("rr") ||
s->getBool("ssrr") ||
s->getBool("ts") )
compiler->abort(
rule,
"NXOS ACL does not support checking for IP options in ACLs.");
}
if (TCPService::cast(s)!=NULL && TCPService::cast(s)->inspectFlags())
{
string version = compiler->fw->getStr("version");
if (XMLTools::version_compare(version, "12.4")<0)
compiler->abort(rule, "TCP flags match requires NXOS v12.4 or later.");
}
tmp_queue.push_back(rule);
return true;
}
/*
* This rule processor is used to separate TCP service objects that
* match tcp flags when generated config uses object-group clause
*/
bool PolicyCompiler_nxosacl::splitTCPServiceWithFlags::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementSrv *srv = rule->getSrv();
if (srv->size() > 1)
{
std::list<FWObject*> cl;
for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Service *s=Service::cast(obj);
assert(s!=NULL);
TCPService *tcp_srv = TCPService::cast(s);
if (tcp_srv && (tcp_srv->inspectFlags() || tcp_srv->getEstablished()))
cl.push_back(s);
}
while (!cl.empty())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
RuleElementSrv *nsrv = r->getSrv();
nsrv->clearChildren();
nsrv->addRef( cl.front() );
tmp_queue.push_back(r);
srv->removeRef( cl.front() );
cl.pop_front();
}
if (srv->size()>0) tmp_queue.push_back(rule);
} else
tmp_queue.push_back(rule);
return true;
}
void PolicyCompiler_nxosacl::compile()
{
string banner = " Compiling ruleset " + getSourceRuleSet()->getName();
if (ipv6) banner += ", IPv6";
info(banner);
string version = fw->getStr("version");
bool supports_object_groups = XMLTools::version_compare(version, "12.4")>=0 &&
fw->getOptionsObject()->getBool("nxosacl_use_object_groups") && ! ipv6;
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
Compiler::compile();
if ( fw->getOptionsObject()->getBool ("check_shading") &&
! inSingleRuleCompileMode())
{
add( new Begin("Detecting rule shadowing" ) );
add( new printTotalNumberOfRules());
add( new ItfNegation("process negation in Itf" ) );
add( new InterfacePolicyRules(
"process interface policy rules and store interface ids"));
add( new recursiveGroupsInSrc("check for recursive groups in SRC"));
add( new recursiveGroupsInDst("check for recursive groups in DST"));
add( new recursiveGroupsInSrv("check for recursive groups in SRV"));
add( new ExpandGroups("expand groups"));
add( new dropRuleWithEmptyRE(
"drop rules with empty rule elements"));
add( new eliminateDuplicatesInSRC("eliminate duplicates in SRC"));
add( new eliminateDuplicatesInDST("eliminate duplicates in DST"));
add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV"));
add( new ExpandMultipleAddressesInSrc(
"expand objects with multiple addresses in SRC" ) );
add( new ExpandMultipleAddressesInDst(
"expand objects with multiple addresses in DST" ) );
add( new dropRuleWithEmptyRE(
"drop rules with empty rule elements"));
add( new mirrorRule("Add mirrored rules"));
add( new ConvertToAtomic("convert to atomic rules" ) );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new DetectShadowing("Detect shadowing" ) );
add( new simplePrintProgress() );
runRuleProcessors();
deleteRuleProcessors();
}
add( new Begin (" Start processing rules" ) );
add( new printTotalNumberOfRules ( ) );
add( new singleRuleFilter());
add( new recursiveGroupsInSrc( "check for recursive groups in SRC" ) );
add( new recursiveGroupsInDst( "check for recursive groups in DST" ) );
add( new recursiveGroupsInSrv( "check for recursive groups in SRV" ) );
add( new emptyGroupsInSrc( "check for empty groups in SRC" ) );
add( new emptyGroupsInDst( "check for empty groups in DST" ) );
add( new emptyGroupsInSrv( "check for empty groups in SRV" ) );
add( new ExpandGroups ("expand groups" ) );
add( new dropRuleWithEmptyRE(
"drop rules with empty rule elements"));
add( new eliminateDuplicatesInSRC( "eliminate duplicates in SRC" ) );
add( new eliminateDuplicatesInDST( "eliminate duplicates in DST" ) );
add( new eliminateDuplicatesInSRV( "eliminate duplicates in SRV" ) );
add( new processMultiAddressObjectsInSrc(
"process MultiAddress objects in Src") );
add( new processMultiAddressObjectsInDst(
"process MultiAddress objects in Dst") );
add( new expandGroupsInItf("expand groups in Interface" ));
add( new replaceClusterInterfaceInItf(
"replace cluster interfaces with member interfaces in the Interface rule element"));
add( new ItfNegation( "process negation in Itf" ) );
add( new InterfacePolicyRules(
"process interface policy rules and store interface ids") );
add( new groupServicesByProtocol ("split rules with different protocols" ) );
add( new ExpandMultipleAddressesInSrc(
"expand objects with multiple addresses in SRC" ) );
add( new MACFiltering ("check for MAC address filtering" ) );
// add( new splitByNetworkZonesForSrc ("split rule if objects in Src belong to different network zones " ) );
// add( new replaceFWinDSTPolicy ("replace fw with its interface in DST in global policy rules") );
add( new ExpandMultipleAddressesInDst(
"expand objects with multiple addresses in DST" ) );
add( new MACFiltering(
"check for MAC address filtering" ) );
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
// add( new splitByNetworkZonesForDst ("split rule if objects in Dst belong to different network zones " ) );
if (ipv6)
add( new DropIPv4Rules("drop ipv4 rules"));
else
add( new DropIPv6Rules("drop ipv6 rules"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new checkForUnnumbered("check for unnumbered interfaces"));
if ( ! supports_object_groups)
add( new addressRanges("process address ranges"));
add( new mirrorRule("Add mirrored rules"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new setInterfaceAndDirectionBySrc(
"Set interface and direction for rules with interface 'all' using SRC"));
add( new setInterfaceAndDirectionByDst(
"Set interface and direction for rules with interface 'all' using DST"));
add( new setInterfaceAndDirectionIfInterfaceSet(
"Set direction for rules with interface not 'all'"));
add( new specialCaseWithDynInterface(
"check for a special cases with dynamic interface" ) );
// first arg is true because we use "ip access-list" for NXOS.
add( new pickACL( true, "assign ACLs" ) );
add( new SpecialServices( "check for special services" ) );
add( new CheckForUnsupportedUserService("check for user service") );
add( new checkForZeroAddr( "check for zero addresses" ) );
add( new checkForDynamicInterface("check for dynamic interfaces" ) );
/* remove redundant objects only after all splits has been
* done, right before object groups are created
*/
add( new removeRedundantAddressesFromSrc(
"remove redundant addresses from Src") );
add( new removeRedundantAddressesFromDst(
"remove redundant addresses from Dst") );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
if (supports_object_groups)
{
// "object-group service" does not seem to support
// matching of tcp flags and "established". Need to
// separate objects using these into separate rules to avoid
// object-group
add( new splitTCPServiceWithFlags(
"separate TCP service with tcp flags"));
add( new CreateObjectGroupsForSrc("create object groups for Src",
named_objects_manager));
add( new CreateObjectGroupsForDst("create object groups for Dst",
named_objects_manager));
add( new CreateObjectGroupsForSrv("create object groups for Srv",
named_objects_manager));
} else
{
add( new ConvertToAtomic ("convert to atomic rules" ) );
}
add( new simplePrintProgress());
add( new createNewCompilerPass("Creating object groups and ACLs"));
// This processor prints each ACL separately in one block.
// It adds comments inside to denote original rules.
//
add( new PrintCompleteACLs("Print ACLs"));
add( new simplePrintProgress());
runRuleProcessors();
}
string PolicyCompiler_nxosacl::printAccessGroupCmd(ciscoACL *acl, bool neg)
{
ostringstream str;
string addr_family_prefix = "ip";
if (ipv6) addr_family_prefix = "ipv6";
if (getSourceRuleSet()->isTop())
{
string dir;
if (acl->direction()=="in" || acl->direction()=="Inbound") dir="in";
if (acl->direction()=="out" || acl->direction()=="Outbound") dir="out";
str << "interface " << acl->getInterface()->getName() << endl;
if (neg) str << " no";
str << " " << addr_family_prefix << " ";
str << getAccessGroupCommandForAddressFamily(ipv6);
str << " " << acl->workName() << " " << dir << endl;
str << "exit" << endl;
}
return str.str();
}
void PolicyCompiler_nxosacl::epilog()
{
output << endl;
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
if (acl->size()!=0) output << printAccessGroupCmd(acl, false);
}
output << endl;
if ( fw->getOptionsObject()->getBool("nxosacl_regroup_commands") )
{
info(" Regrouping commands");
regroup();
}
}
string PolicyCompiler_nxosacl::getAccessGroupCommandForAddressFamily(bool ipv6)
{
if (ipv6) return "traffic-filter";
return "access-group";
}
string PolicyCompiler_nxosacl::printClearCommands()
{
ostringstream output;
string version = fw->getStr("version");
string platform = fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/nxosacl_commands/" + xml_element);
assert( !clearACLCmd.empty());
// No need to output "clear" commands in single rule compile mode
if ( fw->getOptionsObject()->getBool("nxosacl_acl_basic") ||
fw->getOptionsObject()->getBool("nxosacl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl = (*i).second;
output << clearACLCmd << " " << acl->workName() << endl;
}
}
return output.str();
}

298
src/cisco_lib/PolicyCompiler_nxosacl.h Normal file
View File

@ -0,0 +1,298 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __POLICYCOMPILER_NXOSACL_HH
#define __POLICYCOMPILER_NXOSACL_HH
#include <fwbuilder/libfwbuilder-config.h>
#include "fwcompiler/PolicyCompiler.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "Helper.h"
#include "ACL.h"
#include "PolicyCompiler_cisco.h"
#include <functional>
namespace libfwbuilder {
class IPService;
class ICMPService;
class TCPService;
class UDPService;
class RuleElementSrc;
class RuleElementDst;
class RuleElementSrv;
class Group;
};
namespace fwcompiler {
class PolicyCompiler_nxosacl : public PolicyCompiler_cisco {
protected:
std::string comment_symbol;
/**
* dynamic interfaces can not be used in policy rules in NXOS ACLs
*/
friend class checkForDynamicInterface;
class checkForDynamicInterface : public PolicyRuleProcessor
{
bool findDynamicInterface(libfwbuilder::PolicyRule *rule,
libfwbuilder::RuleElement *re);
public:
checkForDynamicInterface(const std::string &name) : PolicyRuleProcessor(name) {}
virtual bool processNext();
};
/*
*************************************************************************
*
* the following rule processors are intended for NXOSACL < 7.0
* the code is in the module PolicyCompiler_nxosacl_v6_acls.cpp
*
*************************************************************************
*/
/**
* verifies combination of interface and direction and
* fills interface and direction. After this predicate it
* is guaranteed that both interface and direction have
* some value. In certain situations interface ID may be
* set to "nil" though (e.g. global policy rules).
*/
DECLARE_POLICY_RULE_PROCESSOR( InterfaceAndDirection_v6 );
/**
* if interface has not been defined (this is global policy
* rule), then multiply the rule for each interface and set
* direction to "Inbound"
*/
DECLARE_POLICY_RULE_PROCESSOR( assignRuleToInterface_v6 );
/**
* split rules with direction "both".
* TODO: This is used in OpenBSD pf. Move to class PolicyCompiler
*/
DECLARE_POLICY_RULE_PROCESSOR( SplitDirection_v6 );
/**
* in NXOSACL, ACLs are always applied on interface and direction
* can only be "inbound". We emulate outbound ACLs though.
*/
DECLARE_POLICY_RULE_PROCESSOR( EmulateOutboundACL_v6 );
/**
* determine acl rules should belong to
*/
DECLARE_POLICY_RULE_PROCESSOR( pickACL_v6 );
friend class PolicyCompiler_nxosacl::pickACL_v6;
/*
*************************************************************************
*
* end of module PolicyCompiler_nxosacl_v6_acls.cpp
*
*************************************************************************
*/
/*
*************************************************************************
*
* rule processors intended to manage ACLs for NXOSACL < 7.0 are inherited
* from PolicyCompiler_cisco.
* The code is in the module PolicyCompiler_cisco_acls.cpp
*
* The processors assume that all objects in src and dst
* belong to the same network zone (respectively)
*
* All these rule processors assume outbound ACLs are supported.
* Check corresponding capability flag and do not include these
* processors in the processors chain in nxosacl.cpp if outbound acls
* are not supported.
*
*************************************************************************
*/
/**
* this processor checks for the services which require
* special treatment. Some of these will be checking for
* source or destination object as well because special
* command may need to be generated in case source or
* destination is a firewall itself. Therefore this processor
* should be called after converting to atomic rules, but
* before interface addresses in source and destination are
* expanded.
*/
DECLARE_POLICY_RULE_PROCESSOR( SpecialServices );
friend class PolicyCompiler_nxosacl::SpecialServices;
/**
* to implement action "Reject" add command "service resetinbound"
*/
DECLARE_POLICY_RULE_PROCESSOR( RejectAction );
friend class PolicyCompiler_nxosacl::RejectAction;
/**
* Implements "mirrored" rules
*/
class mirrorRule : public PolicyRuleProcessor
{
void duplicateRuleElement(libfwbuilder::RuleElement *re1,
libfwbuilder::RuleElement *re2);
public:
mirrorRule(const std::string &n) : PolicyRuleProcessor(n) {}
virtual bool processNext();
};
friend class PolicyCompiler_nxosacl::mirrorRule;
/**
* this processor accumulates all rules fed to it by previous
* * processors, prints commands to clear access-lists, then
* feeds all rules to the next processor. Usually this
* processor is in chain right before PrintRules.
*
* We use this processor to print "clear" commands because
* they need to be generated when all access lists have been
* created but before they are printed.
*/
class ClearACLs : public PolicyRuleProcessor
{
public:
ClearACLs(const std::string &n) : PolicyRuleProcessor(n) {}
virtual bool processNext();
};
friend class PolicyCompiler_nxosacl::ClearACLs;
/**
* "object-group service" does not seem to support matching of
* tcp flags and "established". Need to separate objects using
* these into separate rules to avoid object-group
*/
DECLARE_POLICY_RULE_PROCESSOR(splitTCPServiceWithFlags);
friend class PolicyCompiler_nxosacl::splitTCPServiceWithFlags;
/**
* this processor prints single policy rule, assuming all
* groups have been expanded, so source, destination and
* service hold exactly one object each, and this object is
* not a group. Negation should also have been taken care of
* before this method is called.
*/
class PrintRule : public PolicyRuleProcessor
{
protected:
std::string current_rule_label1;
std::map<std::string,std::string> current_rule_label2;
int aclLineCounter;
std::string _printPortRangeOp(int rs, int re);
std::string getTcpFlagName(const libfwbuilder::TCPService::TCPFlag f);
std::string _printSrcService(libfwbuilder::Service *srv);
std::string _printDstService(libfwbuilder::Service *srv);
std::string _printAddr(libfwbuilder::Address *o);
std::string _printProtocol(libfwbuilder::Service *srv);
std::string _printTCPFlags(libfwbuilder::TCPService *srv);
std::string _printAction(libfwbuilder::PolicyRule *r);
std::string _printACL(libfwbuilder::PolicyRule *r);
std::string _printLog(libfwbuilder::PolicyRule *r);
std::string _printIPServiceOptions(libfwbuilder::PolicyRule *r);
std::string _printRule(libfwbuilder::PolicyRule *rule);
public:
PrintRule(const std::string &name) : PolicyRuleProcessor(name) { aclLineCounter=0; }
virtual bool processNext();
};
friend class PolicyCompiler_nxosacl::PrintRule;
/**
* this processor accumulates all rules fed to it by previous
* * processors, prints commands to clear access-lists, then
* generates commands for the new ACLs.
*
*/
class PrintCompleteACLs : public PrintRule
{
public:
PrintCompleteACLs(const std::string &n) : PrintRule(n) {}
virtual bool processNext();
struct printRulesForACL : public std::unary_function<libfwbuilder::Rule*, void>
{
ciscoACL *acl;
std::stringstream *output;
PolicyCompiler_nxosacl *nxosacl_comp;
PolicyCompiler_nxosacl::PrintCompleteACLs *print_acl_p;
printRulesForACL(PolicyCompiler_nxosacl *_comp,
PolicyCompiler_nxosacl::PrintCompleteACLs *pp,
ciscoACL* _acl,
std::stringstream *_out)
{ nxosacl_comp = _comp; print_acl_p = pp; acl = _acl; output = _out; }
// print rule if it belongs to ACL <acl>
void operator() (libfwbuilder::Rule* x);
};
friend struct PrintCompleteACLs::printRulesForACL;
};
friend class PolicyCompiler_nxosacl::PrintCompleteACLs;;
bool resetinbound;
bool fragguard;
protected:
virtual std::string myPlatformName();
virtual std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false);
public:
PolicyCompiler_nxosacl(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf);
virtual ~PolicyCompiler_nxosacl() {}
virtual int prolog();
virtual void compile();
virtual void epilog();
virtual std::string printClearCommands();
static std::string getAccessGroupCommandForAddressFamily(bool ipv6);
};
}
#endif

596
src/cisco_lib/PolicyCompiler_nxosacl_writers.cpp Normal file
View File

@ -0,0 +1,596 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "PolicyCompiler_nxosacl.h"
#include "NXOSObjectGroup.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "PortRangeConverter.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/ICMP6Service.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/XMLTools.h"
#include <iostream>
#include <iomanip>
#include <fstream>
#include <sstream>
#include <algorithm>
#include <functional>
#include <assert.h>
#include <QStringList>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
bool PolicyCompiler_nxosacl::ClearACLs::processNext()
{
PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast<PolicyCompiler_nxosacl*>(compiler);
string vers = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/nxosacl_commands/clear_acl");
slurp();
if (tmp_queue.size()==0) return false;
if ( compiler->fw->getOptionsObject()->getBool("nxosacl_acl_basic") )
{
compiler->output << clearACLcmd << endl;
}
if (compiler->fw->getOptionsObject()->getBool("nxosacl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=nxosacl_comp->acls.begin();
i!=nxosacl_comp->acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
compiler->output << clearACLcmd << " " << acl->workName() << endl;
}
compiler->output << endl;
}
if ( !compiler->fw->getOptionsObject()->getBool("nxosacl_acl_no_clear") )
{
string clearICMPcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/nxosacl_commands/clear_icmp");
string clearTelnetcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/nxosacl_commands/clear_telnet");
string clearSSHcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/nxosacl_commands/clear_ssh");
//compiler->output << clearICMPcmd << endl;
//compiler->output << clearTelnetcmd << endl;
//compiler->output << clearSSHcmd << endl;
}
return true;
}
void PolicyCompiler_nxosacl::PrintCompleteACLs::printRulesForACL::operator()(
Rule* rule)
{
// print rule if it belongs to ACL <acl>
PolicyRule *prule = PolicyRule::cast(rule);
string acl_name = prule->getStr("acl");
assert (acl_name!="");
ciscoACL *rule_acl = nxosacl_comp->acls[acl_name];
assert(rule_acl!=NULL);
if (acl == rule_acl)
{
*output << print_acl_p->_printRule(prule);
}
}
bool PolicyCompiler_nxosacl::PrintCompleteACLs::processNext()
{
PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast<PolicyCompiler_nxosacl*>(compiler);
slurp();
if (tmp_queue.size()==0) return false;
string addr_family_prefix = "ip";
if (nxosacl_comp->ipv6) addr_family_prefix = "ipv6";
for (map<string,ciscoACL*>::iterator i=nxosacl_comp->acls.begin();
i!=nxosacl_comp->acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
compiler->output << addr_family_prefix
<< " access-list ";
// if (!nxosacl_comp->ipv6) compiler->output << "extended ";
compiler->output<< acl->workName() << endl;
std::for_each(tmp_queue.begin(), tmp_queue.end(),
printRulesForACL(nxosacl_comp,
this, acl, &(compiler->output)));
compiler->output << "exit" << endl;
compiler->output << endl;
}
return true;
}
string PolicyCompiler_nxosacl::PrintRule::_printRule(PolicyRule *rule)
{
PolicyCompiler_nxosacl *nxosacl_comp =
dynamic_cast<PolicyCompiler_nxosacl*>(compiler);
string platform = compiler->fw->getStr("platform");
//FWOptions *ruleopt =rule->getOptionsObject();
bool write_comments = compiler->fw->getOptionsObject()->getBool(
platform + "_include_comments");
ostringstream ruleout;
ostringstream aclstr;
if (write_comments)
compiler->output << compiler->printComment(
rule, current_rule_label1, nxosacl_comp->comment_symbol);
/*
* all three rule elements contain exactly one object, which can
* be either group (in case processor CreateObjectGroups created
* object group for it) or a regular object
*/
RuleElementSrc *src=rule->getSrc();
RuleElementDst *dst=rule->getDst();
RuleElementSrv *srv=rule->getSrv();
assert(src->size()==1);
assert(dst->size()==1);
assert(srv->size()==1);
FWObject *srcobj = src->front();
FWObject *dstobj = dst->front();
FWObject *srvobj = srv->front();
assert(srcobj);
assert(dstobj);
assert(srvobj);
if (FWReference::cast(srcobj)!=NULL)
{
srcobj=FWReference::cast(srcobj)->getPointer();
assert(srcobj);
}
if (FWReference::cast(dstobj)!=NULL)
{
dstobj=FWReference::cast(dstobj)->getPointer();
assert(dstobj);
}
if (FWReference::cast(srvobj)!=NULL)
{
srvobj=FWReference::cast(srvobj)->getPointer();
assert(srvobj);
}
string acl_name=rule->getStr("acl");
assert (acl_name!="");
ciscoACL *acl = nxosacl_comp->acls[acl_name];
assert(acl!=NULL);
/*
* Assemble ACL command in aclstr
*/
aclstr << _printAction(rule);
NXOSObjectGroup *pgsrc = NXOSObjectGroup::cast(srcobj);
NXOSObjectGroup *pgdst = NXOSObjectGroup::cast(dstobj);
NXOSObjectGroup *pgsrv = NXOSObjectGroup::cast(srvobj);
/*
* Possible configurations:
*
* permit object-group service_group object-group src_grp object-group dst_grp
* permit object-group service_group SRC_SPEC DST_SPEC
* permit <proto> SRC_SPEC <src_ports> DST_SPEC <dst_ports>
*
* Where SRC_SPEC and DST_SPEC are
* obejct-group network_group
* or traidtional <address> <wildcard_bits>
*
*/
if ( pgsrv!=NULL && pgsrv->isServiceGroup())
{
aclstr << "object-group " << pgsrv->getName();
aclstr << " ";
if ( pgsrc!=NULL && pgsrc->isObjectGroup())
{
aclstr << "object-group " << pgsrc->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstSrc(rule) );
}
if ( pgdst!=NULL && pgdst->isObjectGroup())
{
aclstr << "object-group " << pgdst->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstDst(rule) );
}
} else
{
// Service is not object group
aclstr << _printProtocol(Service::cast(srvobj));
aclstr << " ";
if ( pgsrc!=NULL && pgsrc->isObjectGroup())
{
aclstr << "object-group " << pgsrc->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstSrc(rule) );
}
aclstr << _printSrcService( compiler->getFirstSrv(rule) );
if ( pgdst!=NULL && pgdst->isObjectGroup())
{
aclstr << "object-group " << pgdst->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstDst(rule) );
}
aclstr << _printDstService( compiler->getFirstSrv(rule) );
}
aclstr << _printLog( rule );
// "fragments" should be the last option in the access-list command
aclstr << _printIPServiceOptions(rule);
// Note that option "use_acl_remarks" is set in prolog() because
// we use different options for this function in GUI dialogs for
// nxosacl and procurve. This is historical.
if (compiler->fw->getOptionsObject()->getBool("use_acl_remarks"))
{
ruleout << acl->addRemark(rule->getLabel(), rule->getComment());
}
ruleout << acl->addLine(aclstr.str());
return ruleout.str();
}
string PolicyCompiler_nxosacl::PrintRule::_printAction(PolicyRule *rule)
{
ostringstream str;
switch (rule->getAction()) {
case PolicyRule::Accept: str << "permit "; break;
case PolicyRule::Deny: str << "deny "; break;
case PolicyRule::Reject: str << "deny "; break;
default: str << rule->getActionAsString() << " ";
}
return str.str();
}
string PolicyCompiler_nxosacl::PrintRule::_printACL(PolicyRule *rule)
{
// PolicyCompiler_nxosacl *nxosacl_comp=dynamic_cast<PolicyCompiler_nxosacl*>(compiler);
string acl_name=rule->getStr("acl");
assert (acl_name!="");
return acl_name+" ";
}
string PolicyCompiler_nxosacl::PrintRule::_printLog(PolicyRule *rule)
{
if (rule->getLogging())
{
FWOptions *ruleopt =rule->getOptionsObject();
if (ruleopt->getBool("nxosacl_log_input")) return "log-input ";
return "log ";
}
return "";
}
string PolicyCompiler_nxosacl::PrintRule::_printPortRangeOp(int rs, int re)
{
return PortRangeConverter(rs, re).toString();
}
string PolicyCompiler_nxosacl::PrintRule::_printSrcService(Service *srv)
{
if (TCPService::isA(srv) || UDPService::isA(srv))
{
int rs = TCPUDPService::cast(srv)->getSrcRangeStart();
int re = TCPUDPService::cast(srv)->getSrcRangeEnd();
return _printPortRangeOp(rs, re);
}
return "";
}
string PolicyCompiler_nxosacl::PrintRule::_printIPServiceOptions(PolicyRule *r)
{
Service *srv = compiler->getFirstSrv(r);
const IPService *ip;
if ((ip=IPService::constcast(srv))!=NULL)
{
string version = compiler->fw->getStr("version");
if (srv->getBool("fragm") || srv->getBool("short_fragm"))
return "fragments ";
if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.4")<0)
compiler->abort(r, "IP options match requires NXOS v12.4 or later.");
if (ip->getBool("lsrr")) return "option lsr";
if (ip->getBool("ssrr")) return "option ssr";
if (ip->getBool("rr")) return "option record-route";
if (ip->getBool("rtralt")) return "option router-alert";
if (ip->getBool("any_opt")) return "option any-options ";
string tos = ip->getTOSCode();
string dscp = ip->getDSCPCode();
if (!dscp.empty()) return string("dscp ") + dscp;
else
if (!tos.empty()) return string("tos ") + tos;
}
return "";
}
string PolicyCompiler_nxosacl::PrintRule::_printDstService(Service *srv)
{
ostringstream str;
if (TCPService::isA(srv) || UDPService::isA(srv))
{
int rs = TCPUDPService::cast(srv)->getDstRangeStart();
int re = TCPUDPService::cast(srv)->getDstRangeEnd();
str << _printPortRangeOp(rs, re);
}
if (TCPService::isA(srv))
{
if (srv->getBool("established")) str << "established ";
else str << _printTCPFlags(TCPService::cast(srv));
}
if ((ICMPService::isA(srv) || ICMP6Service::isA(srv)) &&
srv->getInt("type")!=-1)
{
str << srv->getStr("type") << " ";
}
if (CustomService::isA(srv))
str << CustomService::cast(srv)->getCodeForPlatform(
compiler->myPlatformName() ) << " ";
return str.str();
}
string PolicyCompiler_nxosacl::PrintRule::getTcpFlagName(const TCPService::TCPFlag f)
{
switch (f)
{
case TCPService::URG: return "urg";
case TCPService::ACK: return "ack";
case TCPService::PSH: return "psh";
case TCPService::RST: return "rst";
case TCPService::SYN: return "syn";
case TCPService::FIN: return "fin";
default: return "";
}
return "";
}
string PolicyCompiler_nxosacl::PrintRule::_printTCPFlags(TCPService *srv)
{
if (srv->inspectFlags())
{
// We check the version and call compiler->abort() if its
// wrong in SpecialServices rule processor. Here we should just execute.
string version = compiler->fw->getStr("version");
if (XMLTools::version_compare(version, "12.4")>=0)
{
std::set<TCPService::TCPFlag> flags = srv->getAllTCPFlags();
std::set<TCPService::TCPFlag> masks = srv->getAllTCPFlagMasks();
std::set<TCPService::TCPFlag>::iterator mit = masks.begin();
QStringList match_specs;
for (; mit!=masks.end(); mit++)
{
if (flags.count(*mit) > 0)
match_specs.push_back(QString("+%1").arg(getTcpFlagName(*mit).c_str()));
else
match_specs.push_back(QString("-%1").arg(getTcpFlagName(*mit).c_str()));
}
if (!match_specs.empty())
match_specs.push_front("match-all");
return match_specs.join(" ").toStdString() + " ";
}
}
return "";
}
string PolicyCompiler_nxosacl::PrintRule::_printProtocol(Service *srv)
{
PolicyCompiler_nxosacl *nxosacl_comp = dynamic_cast<PolicyCompiler_nxosacl*>(
compiler);
string addr_family_prefix = "ip ";
if (nxosacl_comp->ipv6) addr_family_prefix = "ipv6 ";
string proto = srv->getProtocolName();
if (ICMP6Service::isA(srv)) proto = "icmp";
if (CustomService::isA(srv))
{
// special case standard CusctomService objects "ESTABLISHED"
// and "ESTABLISHED ipv6": these require protocol "tcp" but
// protocol is set in the Custom Service object for all
// platforms at once, so we can't have protocol defined only
// for nxosacl to be used here.
string srv_code = CustomService::cast(srv)->getCodeForPlatform(
compiler->myPlatformName());
if (srv_code == "established") proto = "tcp";
}
if (proto=="ip") return addr_family_prefix;
return proto + " ";
}
string PolicyCompiler_nxosacl::PrintRule::_printAddr(Address *o)
{
PolicyCompiler_nxosacl *nxosacl_comp = dynamic_cast<PolicyCompiler_nxosacl*>(compiler);
if (Interface::cast(o)!=NULL)
{
Interface *interface_ = Interface::cast(o);
if (interface_->isDyn())
{
return string("interface ") + interface_->getLabel() + " ";
}
}
ostringstream str;
const InetAddr *srcaddr = o->getAddressPtr();
if (srcaddr)
{
const InetAddr *nm = o->getNetmaskPtr();
InetAddr srcmask;
if (nm != NULL)
{
srcmask = *nm;
} else
{
cerr << "Address object "
<< o
<< " "
<< o->getName()
<< " (" << o->getTypeName() << ") "
<< " has no netmask"
<< endl;
srcmask = InetAddr(InetAddr::getAllOnes(srcaddr->addressFamily()));
}
// const InetAddr srcmask = *(o->getNetmaskPtr());
if (srcaddr->isAny() && srcmask.isAny())
{
str << "any ";
} else
{
if (Interface::cast(o)==NULL &&
Interface::cast(o->getParent())==NULL &&
o->dimension() > 1 &&
!srcmask.isHostMask())
{
if (nxosacl_comp->ipv6)
{
str << srcaddr->toString()
<< "/"
<< srcmask.getLength() << " ";
} else
{
str << srcaddr->toString() << " ";
// cisco uses "wildcards" instead of netmasks
//long nm = srcmask.to32BitInt();
//struct in_addr na;
//na.s_addr = ~nm;
InetAddr nnm( ~srcmask );
str << nnm.toString() << " ";
}
} else
{
str << "host " << srcaddr->toString() << " ";
}
}
return str.str();
}
ostringstream errstr;
errstr << "Object "
<< o->getName()
<< " (id="
<< o->getId()
<< ") "
<< " has no ip address and can not be used "
<< "in the rule.";
compiler->abort(errstr.str());
return ""; // to make compiler happy
}
/*
* the following additional attributes should have been defined by now:
*
* "acl" - string, name of the access list
* choices are: outside-in, outside-out, inside-in, indside-out,
* dmz-in, dmz-out etc.
* General rule for the acl name: "iface_name-{in,out}"
*/
bool PolicyCompiler_nxosacl::PrintRule::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
compiler->output << _printRule(rule);
return true;
}

162
src/cisco_lib/RoutingCompiler_nxosacl.cpp Normal file
View File

@ -0,0 +1,162 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "RoutingCompiler_nxosacl.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Network.h"
#include <string>
#include <assert.h>
using namespace libfwbuilder;
using namespace fwcompiler;
string RoutingCompiler_nxosacl::myPlatformName() { return "nxosacl"; }
int RoutingCompiler_nxosacl::prolog()
{
int n = RoutingCompiler_cisco::prolog();
if (fw->getStr("platform")!="nxosacl")
abort("Unsupported platform " + fw->getStr("platform") );
return n;
}
void RoutingCompiler_nxosacl::epilog()
{
}
/*
* Replace objects in dst and gw with their ip addresses, except if
* interface of the firewall is found in gw, it is left intact because
* NXOS allows for using interface name as gateway in "ip route"
* command.
*/
bool RoutingCompiler_nxosacl::ExpandMultipleAddressesExceptInterface::processNext()
{
RoutingRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
RuleElementRDst *dst = rule->getRDst(); assert(dst);
compiler->_expand_addr(rule, dst, true);
RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel);
Address *gtw = Address::cast(
FWReference::cast(gtwrel->front())->getPointer());
if (gtw == NULL)
compiler->abort(rule, "Broken GTW");
if (Interface::isA(gtw) && gtw->isChildOf(compiler->fw)) return true;
compiler->_expand_addr(rule, gtwrel, false);
return true;
}
bool RoutingCompiler_nxosacl::checkRItfAndGw::processNext()
{
RoutingRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
RuleElementRItf *itfrel = rule->getRItf(); assert(itfrel);
RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel);
if (!itfrel->isAny() && !gtwrel->isAny())
compiler->abort(rule, "Can not use both gateway address and interface in "
"NXOS routing rule");
return true;
}
/**
*-----------------------------------------------------------------------
*/
void RoutingCompiler_nxosacl::compile()
{
printRule = new RoutingCompiler_nxosacl::PrintRule("");
info(" Compiling routing rules for " + fw->getName());
Compiler::compile();
add(new RoutingCompiler::Begin());
add(new printTotalNumberOfRules());
add( new singleRuleFilter());
add(new recursiveGroupsInRDst("Check for recursive Groups in RDst"));
add(new emptyGroupsInRDst("Check for empty Groups in RDst"));
add(new emptyRDstAndRItf("Check if RDst and RItf are both empty"));
// add(new singleAdressInRGtw(
// "Check if RGtw object has exactly one IP adress"));
add(new rItfChildOfFw("Check if RItf is an Iterface of this firewall"));
add(new checkRItfAndGw("Both gateway and interface can not be used in the same rule"));
add(new validateNetwork("Validate network addresses"));
add(new reachableAddressInRGtw(
"Check if RGtw is reachable via local networks"));
//add(new contradictionRGtwAndRItf(
// "Check if RGtw is in a network of RItf"));
add(new ExpandGroups("Expand groups in DST"));
add(new ExpandMultipleAddressesExceptInterface(
"Expand objects with multiple addresses in DST"));
add(new eliminateDuplicatesInDST("Eliminate duplicates in DST"));
add(new createSortedDstIdsLabel(
"Create label with a sorted dst-id-list for 'competingRules'"));
add(new competingRules("Check for competing rules"));
add(new ConvertToAtomicForDST(
"Convert to atomic rules by dst address elements"));
add(new createSortedDstIdsLabel(
"Create label with a sorted dst-id-list for 'classifyRoutingRules'"));
add(new classifyRoutingRules(
"Classify into single path or part of a multi path rule"));
//add(new eliminateDuplicateRules(
// "Eliminate duplicate rules over the whole table"));
add(new PrintRule("generate ip code"));
add(new simplePrintProgress());
runRuleProcessors();
}

89
src/cisco_lib/RoutingCompiler_nxosacl.h Normal file
View File

@ -0,0 +1,89 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __ROUTINGCOMPILER_NXOSACL_HH__
#define __ROUTINGCOMPILER_NXOSACL_HH__
#include <fwbuilder/libfwbuilder-config.h>
#include "fwcompiler/RoutingCompiler.h"
#include "fwbuilder/RuleElement.h"
#include "config.h"
#include "RoutingCompiler_cisco.h"
namespace libfwbuilder {
class RuleElementRDst;
class RuleElementRItf;
class RuleElementRGtw;
};
namespace fwcompiler
{
class RoutingCompiler_nxosacl : public RoutingCompiler_cisco
{
protected:
virtual std::string myPlatformName();
/**
* this inspector replaces references to hosts and firewalls
* in dst and gw with references to their interfaces, except
* for interfaces of the firewall found in gw, which are left
* intact.
*/
DECLARE_ROUTING_RULE_PROCESSOR(ExpandMultipleAddressesExceptInterface);
DECLARE_ROUTING_RULE_PROCESSOR(checkRItfAndGw);
class PrintRule : public RoutingCompiler_cisco::PrintRule
{
public:
PrintRule(const std::string &name);
virtual bool processNext();
virtual std::string RoutingRuleToString(libfwbuilder::RoutingRule *r);
virtual std::string _printRGtw(libfwbuilder::RoutingRule *r);
virtual std::string _printRItf(libfwbuilder::RoutingRule *r);
};
friend class RoutingCompiler_nxosacl::PrintRule;
public:
RoutingCompiler_nxosacl(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) : RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {};
virtual int prolog();
virtual void compile();
virtual void epilog();
};
}
#endif

167
src/cisco_lib/RoutingCompiler_nxosacl_writers.cpp Normal file
View File

@ -0,0 +1,167 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "RoutingCompiler_nxosacl.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
#include <assert.h>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
/**
*-----------------------------------------------------------------------
* Methods for printing
*/
RoutingCompiler_nxosacl::PrintRule::PrintRule(const std::string &name) :
RoutingCompiler_cisco::PrintRule(name)
{
}
bool RoutingCompiler_nxosacl::PrintRule::processNext()
{
RoutingRule *rule = getNext(); if (rule == NULL) return false;
tmp_queue.push_back(rule);
string rl = rule->getLabel();
string comm = rule->getComment();
string::size_type c1, c2;
c1 = 0;
if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label)
{
compiler->output << "! " << endl;
compiler->output << "! Rule " << rl << endl;
compiler->output << "! " << endl;
}
// string err = rule->getCompilerMessage();
// if (!err.empty()) compiler->output << "# " << err << endl;
if( rule->getRuleType() != RoutingRule::MultiPath )
{
if (!compiler->inSingleRuleCompileMode() && rl != current_rule_label)
{
while ( (c2 = comm.find('\n',c1)) != string::npos )
{
compiler->output << "! " << comm.substr(c1,c2-c1) << endl;
c1 = c2 + 1;
}
compiler->output << "! " << comm.substr(c1) << endl;
compiler->output << "! " << endl;
string err = compiler->getErrorsForRule(rule, "! ");
if (!err.empty()) compiler->output << err << endl;
current_rule_label = rl;
}
string command_line = RoutingRuleToString(rule);
compiler->output << command_line;
} else
{
string err = compiler->getErrorsForRule(rule, "! ");
if (!err.empty()) compiler->output << err << endl;
compiler->abort(rule, "MultiPath routing not supported by platform");
}
return true;
}
string RoutingCompiler_nxosacl::PrintRule::_printRGtw(RoutingRule *rule)
{
FWObject *ref;
RuleElementRGtw *gtwrel = rule->getRGtw();
ref = gtwrel->front();
Address *gtw = Address::cast(FWReference::cast(ref)->getPointer());
if (Interface::isA(gtw) && gtw->isChildOf(compiler->fw))
{
// gateway is interface of this firewall. Generate command
// ip route A.B.C.D N.N.N.N interface metric
return gtw->getName() + " ";
}
string gateway = _printAddr(gtw);
if (gateway != "default ") return gateway;
else return " ";
}
string RoutingCompiler_nxosacl::PrintRule::_printRItf(RoutingRule *rule)
{
RuleElementRItf *itfrel = rule->getRItf();
if (!itfrel->isAny())
{
Interface *itf =
Interface::cast(FWObjectReference::getObject(itfrel->front()));
if (itf != NULL) return itf->getName() + " ";
}
return "";
}
string RoutingCompiler_nxosacl::PrintRule::RoutingRuleToString(RoutingRule *rule)
{
FWObject *ref;
RuleElementRDst *dstrel = rule->getRDst();
ref = dstrel->front();
Address *dst = Address::cast(FWReference::cast(ref)->getPointer());
if(dst == NULL) compiler->abort(rule, "Broken DST");
std::ostringstream command_line;
command_line << "ip route ";
command_line << _printRDst(rule);
command_line << _printRGtw(rule);
command_line << _printRItf(rule);
// default metric in NXOS is 1 (can't have metric 0)
if (rule->getMetricAsString() == "0")
{
command_line << "1";
} else {
command_line << rule->getMetricAsString();
}
command_line << endl;
return command_line.str();
}

18
src/cisco_lib/cisco_lib.pro
View File

@ -8,6 +8,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
PolicyCompiler_cisco_acls.cpp \
NamedObjectsAndGroupsSupport.cpp \
NamedObjectsManager.cpp \
NamedObjectsManagerNXOS.cpp \
NamedObjectsManagerIOS.cpp \
NamedObjectsManagerPIX.cpp \
RoutingCompiler_cisco.cpp \
@ -20,11 +21,18 @@ SOURCES = PolicyCompiler_cisco.cpp \
Helper.cpp \
inspectionProtocol.cpp \
InspectionClassMap.cpp \
OSConfigurator_nxos.cpp \
OSConfigurator_ios.cpp \
CompilerDriver_nxosacl.cpp \
CompilerDriver_nxosacl_run.cpp \
CompilerDriver_iosacl.cpp \
CompilerDriver_iosacl_run.cpp \
PolicyCompiler_nxosacl.cpp \
PolicyCompiler_nxosacl_writers.cpp \
PolicyCompiler_iosacl.cpp \
PolicyCompiler_iosacl_writers.cpp \
RoutingCompiler_nxosacl.cpp \
RoutingCompiler_nxosacl_writers.cpp \
RoutingCompiler_iosacl.cpp \
RoutingCompiler_iosacl_writers.cpp \
CompilerDriver_pix.cpp \
@ -48,6 +56,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
BaseObjectGroup.cpp \
PIXObjectGroup.cpp \
ASA8ObjectGroup.cpp \
NXOSObjectGroup.cpp \
IOSObjectGroup.cpp \
PolicyCompiler_pix.cpp \
PolicyCompiler_pix_writers.cpp \
@ -56,7 +65,8 @@ SOURCES = PolicyCompiler_cisco.cpp \
RoutingCompiler_pix.cpp \
RoutingCompiler_pix_writers.cpp \
AutomaticRules_cisco.cpp \
AutomaticRules_iosacl.cpp
AutomaticRules_iosacl.cpp \
AutomaticRules_nxosacl.cpp
HEADERS = ../../config.h \
PortRangeConverter.h \
@ -75,6 +85,7 @@ HEADERS = ../../config.h \
InspectionClassMap.h \
PolicyCompiler_cisco.h \
RoutingCompiler_cisco.h \
CompilerDriver_nxosacl.h \
CompilerDriver_iosacl.h \
OSConfigurator_ios.h \
PolicyCompiler_iosacl.h \
@ -89,12 +100,13 @@ HEADERS = ../../config.h \
BaseObjectGroup.h \
PIXObjectGroup.h \
ASA8ObjectGroup.h \
NXOSObjectGroup.h \
IOSObjectGroup.h \
PolicyCompiler_pix.h \
RoutingCompiler_pix.h \
AutomaticRules_cisco.h \
AutomaticRules_iosacl.h
AutomaticRules_iosacl.h \
AutomaticRules_nxosacl.h
macx:LIBS += $$LIBS_FWCOMPILER

2
src/compiler_lib/compiler_lib.pro
View File

@ -16,6 +16,7 @@ SOURCES = CompilerDriver.cpp \
linux24Interfaces.cpp \
openbsdInterfaces.cpp \
freebsdInterfaces.cpp \
nxosInterfaces.cpp \
iosInterfaces.cpp \
procurveInterfaces.cpp \
pixInterfaces.cpp \
@ -29,6 +30,7 @@ HEADERS = ../../config.h \
linux24Interfaces.h \
openbsdInterfaces.h \
freebsdInterfaces.h \
nxosInterfaces.h \
iosInterfaces.h \
procurveInterfaces.h \
pixInterfaces.h \

3
src/compiler_lib/interfacePropertiesObjectFactory.cpp
View File

@ -26,6 +26,7 @@
#include "interfacePropertiesObjectFactory.h"
#include "interfaceProperties.h"
#include "linux24Interfaces.h"
#include "nxosInterfaces.h"
#include "iosInterfaces.h"
#include "procurveInterfaces.h"
#include "openbsdInterfaces.h"
@ -59,6 +60,8 @@ interfaceProperties* interfacePropertiesObjectFactory::getInterfacePropertiesObj
os_family == "dd-wrt-jffs" ||
os_family == "secuwall") return new linux24Interfaces();
if (os_family == "nxos") return new nxosInterfaces();
if (os_family == "ios") return new iosInterfaces();
if (os_family == "pix_os" || os_family == "ios") return new pixInterfaces();

63
src/compiler_lib/nxosInterfaces.cpp Normal file
View File

@ -0,0 +1,63 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "nxosInterfaces.h"
#include "fwbuilder/Interface.h"
#include <QDebug>
#include <QObject>
#include <QRegExp>
using namespace std;
using namespace libfwbuilder;
bool nxosInterfaces::parseVlan(const QString &name, QString *base_name, int *vlan_id)
{
QRegExp vlan_name_pattern("([a-zA-Z-]+\\d{1,}/\\d{1,})\\.(\\d{1,})");
if (vlan_name_pattern.indexIn(name) != -1)
{
if (base_name!=NULL) *base_name = vlan_name_pattern.cap(1);
if (vlan_id!=NULL) *vlan_id = vlan_name_pattern.cap(2).toInt();
return true;
}
return false;
}
// simple name validation: does not allow space and "-"
// However some platform permit space (procurve).
bool nxosInterfaces::basicValidateInterfaceName(Interface *,
const QString &obj_name,
QString &err)
{
if (obj_name.indexOf(' ') != -1)
{
err = QObject::tr("Interface name '%1' can not contain white space").arg(obj_name);
return false;
}
return true;
}

46
src/compiler_lib/nxosInterfaces.h Normal file
View File

@ -0,0 +1,46 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef NXOS_INTERFACE_PROPERTIES_HH
#define NXOS_INTERFACE_PROPERTIES_HH
#include "interfaceProperties.h"
class nxosInterfaces : public interfaceProperties
{
public:
nxosInterfaces() : interfaceProperties() {}
// simple name validation: does not allow space. Unlike this function
// in the base class, permit "-"
virtual bool basicValidateInterfaceName(libfwbuilder::Interface *intf,
const QString &proposed_name,
QString &err);
virtual bool parseVlan(const QString&, QString*, int*);
};
#endif

4
src/libgui/DialogFactory.cpp
View File

@ -64,6 +64,7 @@
#include "ipfwAdvancedDialog.h"
#include "pfAdvancedDialog.h"
#include "pixAdvancedDialog.h"
#include "nxosaclAdvancedDialog.h"
#include "iosaclAdvancedDialog.h"
#include "ipcopAdvancedDialog.h"
#include "secuwallAdvancedDialog.h"
@ -84,6 +85,7 @@
#include "solarisAdvancedDialog.h"
#include "macosxAdvancedDialog.h"
#include "pixosAdvancedDialog.h"
#include "nxosAdvancedDialog.h"
#include "iosAdvancedDialog.h"
#include "ipcoposAdvancedDialog.h"
#include "secuwallosAdvancedDialog.h"
@ -243,6 +245,7 @@ QWidget *DialogFactory::createFWDialog(QWidget *parent, FWObject *o)
if (platform == "iptables" && os_family == "secuwall")
dlgname = "secuwall";
if (dlgname=="nxosacl") return new nxosaclAdvancedDialog(parent,o);
if (dlgname=="iosacl") return new iosaclAdvancedDialog(parent,o);
if (dlgname=="ipcop") return new ipcopAdvancedDialog(parent,o);
if (dlgname=="ipf") return new ipfAdvancedDialog(parent,o);
@ -281,6 +284,7 @@ QWidget *DialogFactory::createOSDialog(QWidget *parent,FWObject *o)
if (dlgname=="solaris") return new solarisAdvancedDialog(parent, o);
if (dlgname=="macosx") return new macosxAdvancedDialog(parent, o);
if (dlgname=="pix_os") return new pixosAdvancedDialog(parent, o);
if (dlgname=="nxos") return new nxosAdvancedDialog(parent, o);
if (dlgname=="ios") return new iosAdvancedDialog(parent, o);
if (dlgname=="ipcop") return new ipcoposAdvancedDialog(parent, o);
if (dlgname=="secuwall") return new secuwallosAdvancedDialog(parent, o);

26
src/libgui/FirewallInstallerCisco.cpp
View File

@ -32,6 +32,7 @@
#include "instDialog.h"
#include "SSHPIX.h"
#include "SSHIOS.h"
#include "SSHNXOS.h"
#include "Configlet.h"
#include "fwbuilder/Resources.h"
@ -47,7 +48,6 @@
#include <QMessageBox>
#include <QtDebug>
using namespace std;
using namespace libfwbuilder;
@ -56,12 +56,12 @@ FirewallInstallerCisco::FirewallInstallerCisco(instDialog *_dlg,
instConf *_cnf, const QString &_p):
FirewallInstaller(_dlg, _cnf, _p)
{
// string platform = cnf->fwobj->getStr("platform");
// if (cnf->fwdir.isEmpty())
// {
// if (platform=="iosacl") cnf->fwdir = "nvram:";
// else cnf->fwdir = "flash:";
// }
// string platform = cnf->fwobj->getStr("platform");
// if (cnf->fwdir.isEmpty())
// {
// if (platform=="nxosacl") cnf->fwdir = "volatile:";
// else cnf->fwdir = "flash:";
// }
}
bool FirewallInstallerCisco::packInstallJobsList(Firewall*)
@ -174,6 +174,14 @@ void FirewallInstallerCisco::activatePolicy(const QString&, const QString&)
cnf->pwd,
cnf->epwd,
list<string>());
} else if (cnf->fwobj->getStr("platform")=="nxosacl")
{
ssh_object = new SSHNXOS(inst_dlg,
cnf->fwobj->getName().c_str(),
args,
cnf->pwd,
cnf->epwd,
list<string>());
} else // ios
{
ssh_object = new SSHIOS(inst_dlg,
@ -255,6 +263,9 @@ void FirewallInstallerCisco::activatePolicy(const QString&, const QString&)
activation.setVariable("using_scp", cnf->useSCPForRouter);
activation.setVariable("not_using_scp", ! cnf->useSCPForRouter);
activation.setVariable("using_nxos_session", cnf->useNXOSSession);
activation.setVariable("not_using_nxos_session", ! cnf->useNXOSSession);
if ( ! cnf->useSCPForRouter)
{
activation.setVariable("fwbuilder_generated_configuration_lines",
@ -279,6 +290,7 @@ bool FirewallInstallerCisco::readManifest(const QString &script,
// in case of IOS, it is ":"
QFileInfo file_base(script);
QString remote_file = dest_dir + file_base.fileName();
qDebug() << "001 REMOTE FILE:" << remote_file;
QString local_name = script;
cnf->remote_script = remote_file;
(*all_files)[local_name] = remote_file;

132
src/libgui/SSHNXOS.cpp Normal file
View File

@ -0,0 +1,132 @@
/*
Firewall Builder
Copyright (C) 2003 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "global.h"
#include "SSHNXOS.h"
#include <QtDebug>
using namespace std;
SSHNXOS::SSHNXOS(QWidget *_par,
const QString &_h,
const QStringList &args,
const QString &_p,
const QString &_ep,
const std::list<std::string> &_in) :
SSHCisco(_par,_h,args,_p,_ep,_in)
{
normal_prompt=">$";
fwb_prompt="--**--**--";
enable_prompt="# $";
pwd_prompt_1="'s password: $";
pwd_prompt_2="Password: ";
epwd_prompt="Password: ";
ssh_pwd_prompt="'s password: ";
ssoft_config_prompt="> ";
putty_pwd_prompt="Password: ";
passphrase_prompt="Enter passphrase for key ";
errorsInit.clear();
errorsInit.push_back("Permission denied");
errorsInit.push_back("Invalid password");
errorsInit.push_back("Access denied");
errorsInit.push_back("Unable to authenticate");
errorsInit.push_back("Too many authentication failures");
errorsLoggedin.clear();
errorsLoggedin.push_back("Invalid password");
errorsLoggedin.push_back("ERROR: ");
errorsLoggedin.push_back("Not enough arguments");
errorsLoggedin.push_back("cannot find");
errorsEnabledState.clear();
errorsEnabledState.push_back("ERROR: ");
errorsEnabledState.push_back("Type help");
errorsEnabledState.push_back("Not enough arguments");
errorsEnabledState.push_back("invalid input detected");
errorsEnabledState.push_back("Invalid");
errorsEnabledState.push_back("cannot find");
}
SSHNXOS::~SSHNXOS()
{
}
// NXOS state machine needs to be able to deal with
// "reload in ... " command
void SSHNXOS::stateMachine()
{
if (checkForErrors()) return;
// We need too delete files when doing scp with session
if ( cmpPrompt(stdoutBuffer,
QRegExp("Do you want to delete .* \\(yes/no/abort\\) \\[y\\] ")) )
{
stdoutBuffer="";
proc->write( "yes\n" );
}
switch (state)
{
case SCHEDULE_RELOAD_DIALOG:
if ( cmpPrompt(stdoutBuffer,
QRegExp("System config.* modified\\. Save?")) )
{
stdoutBuffer="";
proc->write( "no\n" );
break;
}
if ( cmpPrompt(stdoutBuffer,QRegExp("Proceed with reload?")) )
{
stdoutBuffer="";
proc->write( "y\n" );
state = ENABLE;
break;
}
break;
case PUSHING_CONFIG:
if ( cmpPrompt(stdoutBuffer, QRegExp("Destination filename [.*]?")) )
{
stdoutBuffer="";
proc->write("\n"); // accept default file name
} else
SSHCisco::stateMachine();
break;
default:
SSHCisco::stateMachine();
break;
}
}

54
src/libgui/SSHNXOS.h Normal file
View File

@ -0,0 +1,54 @@
/*
Firewall Builder
Copyright (C) 2003 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __SSHNXOS_H_
#define __SSHNXOS_H_
#include "config.h"
#include "global.h"
#include "SSHCisco.h"
#include <QString>
class SSHNXOS : public SSHCisco {
Q_OBJECT;
public:
SSHNXOS(QWidget *parent,
const QString &host,
const QStringList &args,
const QString &pwd,
const QString &epwd,
const std::list<std::string> &in);
virtual ~SSHNXOS();
virtual void stateMachine();
};
#endif

1
src/libgui/instConf.h
View File

@ -51,6 +51,7 @@ class instConf {
bool saveStandby;
bool batchInstall;
bool useSCPForRouter; // use scp for cisco ios, pix and hp procurve
bool useNXOSSession; // use NXOS Session Manager
QString pgm;
QString wdir;

2
src/libgui/instDialog.cpp
View File

@ -693,7 +693,7 @@ bool instDialog::checkSSHPathConfiguration(Firewall *fw)
bool instDialog::isCiscoFamily()
{
string platform = cnf.fwobj->getStr("platform");
return (platform=="pix" || platform=="fwsm" || platform=="iosacl");
return (platform=="pix" || platform=="fwsm" || platform=="iosacl" || platform=="nxosacl");
}
bool instDialog::isProcurve()

2
src/libgui/instDialog_ui_ops.cpp
View File

@ -1239,6 +1239,8 @@ void instDialog::readInstallerOptionsFromFirewallObject(Firewall *fw)
cnf.sshArgs = fwopt->getStr("sshArgs").c_str();
cnf.scpArgs = fwopt->getStr("scpArgs").c_str();
cnf.useSCPForRouter = fwopt->getBool("use_scp");
cnf.useNXOSSession = fwopt->getBool("use_nxos_session");
cnf.activationCmd = fwopt->getStr("activationCmd").c_str();

2
src/libgui/instOptionsDialog.cpp
View File

@ -125,7 +125,7 @@ instOptionsDialog::instOptionsDialog(QWidget *parent, instConf *_cnf, bool insta
string version = cnf->fwobj->getStr("version");
if (platform=="pix" || platform=="fwsm" ||
platform=="iosacl" ||
platform=="iosacl" || platform=="nxosacl" ||
platform=="procurve_acl" )
{
m_dialog->copyFWB->hide();

8
src/libgui/libgui.pro
View File

@ -35,6 +35,7 @@ HEADERS += ../../config.h \
SSHCisco.h \
SSHPIX.h \
SSHIOS.h \
SSHNXOS.h \
SSHProcurve.h \
debugDialog.h \
findDialog.h \
@ -107,6 +108,8 @@ HEADERS += ../../config.h \
pixosAdvancedDialog.h \
iosaclAdvancedDialog.h \
iosAdvancedDialog.h \
nxosaclAdvancedDialog.h \
nxosAdvancedDialog.h \
ipcoposAdvancedDialog.h \
linux24AdvancedDialog.h \
linksysAdvancedDialog.h \
@ -251,6 +254,7 @@ SOURCES += ProjectPanel.cpp \
SSHCisco.cpp \
SSHPIX.cpp \
SSHIOS.cpp \
SSHNXOS.cpp \
SSHProcurve.cpp \
debugDialog.cpp \
findDialog.cpp \
@ -323,6 +327,8 @@ SOURCES += ProjectPanel.cpp \
pixosAdvancedDialog.cpp \
iosaclAdvancedDialog.cpp \
iosAdvancedDialog.cpp \
nxosaclAdvancedDialog.cpp \
nxosAdvancedDialog.cpp \
ipcoposAdvancedDialog.cpp \
linux24AdvancedDialog.cpp \
linksysAdvancedDialog.cpp \
@ -488,6 +494,8 @@ FORMS = FWBMainWindow_q.ui \
pixosadvanceddialog_q.ui \
iosacladvanceddialog_q.ui \
iosadvanceddialog_q.ui \
nxosacladvanceddialog_q.ui \
nxosadvanceddialog_q.ui \
procurveacladvanceddialog_q.ui \
simpletexteditor_q.ui \
simpleinteditor_q.ui \

106
src/libgui/nxosAdvancedDialog.cpp Normal file
View File

@ -0,0 +1,106 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "global.h"
#include "utils.h"
#include "nxosAdvancedDialog.h"
#include "FWWindow.h"
#include "FWCmdChange.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Management.h"
#include <memory>
#include <qcheckbox.h>
#include <qspinbox.h>
#include <qcombobox.h>
#include <qradiobutton.h>
#include <qlineedit.h>
#include <qstackedwidget.h>
#include <qregexp.h>
using namespace std;
using namespace libfwbuilder;
nxosAdvancedDialog::~nxosAdvancedDialog()
{
delete m_dialog;
}
nxosAdvancedDialog::nxosAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::nxosAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
/* Page "General" */
data.registerOption( m_dialog->nxos_set_host_name , fwoptions, "nxos_set_host_name" );
data.registerOption( m_dialog->nxos_ip_address , fwoptions, "nxos_ip_address" );
data.loadAll();
m_dialog->tabWidget->setCurrentIndex(0);
}
/*
* store all data in the object
*/
void nxosAdvancedDialog::accept()
{
ProjectPanel *project = mw->activeProject();
std::auto_ptr<FWCmdChange> cmd( new FWCmdChange(project, obj));
// new_state is a copy of the fw object
FWObject* new_state = cmd->getNewState();
FWOptions* fwoptions = Firewall::cast(new_state)->getOptionsObject();
assert(fwoptions!=NULL);
data.saveAll(fwoptions);
if (!cmd->getOldState()->cmp(new_state, true))
project->undoStack->push(cmd.release());
QDialog::accept();
}
void nxosAdvancedDialog::reject()
{
QDialog::reject();
}

61
src/libgui/nxosAdvancedDialog.h Normal file
View File

@ -0,0 +1,61 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __NXOSADVANCEDDIALOG_H_
#define __NXOSADVANCEDDIALOG_H_
#include <ui_nxosadvanceddialog_q.h>
#include "DialogData.h"
namespace libfwbuilder {
class FWObject;
};
class nxosAdvancedDialog : public QDialog
{
Q_OBJECT
libfwbuilder::FWObject *obj;
DialogData data;
Ui::nxosAdvancedDialog_q*m_dialog;
public:
nxosAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o);
~nxosAdvancedDialog();
protected slots:
virtual void accept();
virtual void reject();
public slots:
};
#endif // __NXOSADVANCEDDIALOG_H

392
src/libgui/nxosaclAdvancedDialog.cpp Normal file
View File

@ -0,0 +1,392 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "global.h"
#include "utils.h"
#include "utils_no_qt.h"
#include "nxosaclAdvancedDialog.h"
#include "SimpleTextEditor.h"
#include "FWWindow.h"
#include "FWBSettings.h"
#include "FWCmdChange.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/XMLTools.h"
#include <memory>
#include <qcheckbox.h>
#include <qspinbox.h>
#include <qcombobox.h>
#include <qradiobutton.h>
#include <qlineedit.h>
#include <qstackedwidget.h>
#include <qregexp.h>
#include <qtextedit.h>
#include <qtabwidget.h>
#include <qlistwidget.h>
#include <qlabel.h>
#include <qprocess.h>
#include <qfile.h>
#include <iostream>
#include <sstream>
#include <libxml/xmlmemory.h>
using namespace std;
using namespace libfwbuilder;
nxosaclAdvancedDialog::~nxosaclAdvancedDialog()
{
delete m_dialog;
}
nxosaclAdvancedDialog::nxosaclAdvancedDialog(QWidget *parent,FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::nxosaclAdvancedDialog_q;
m_dialog->setupUi(this);
obj=o;
FWOptions *fwoptions=(Firewall::cast(obj))->getOptionsObject();
assert(fwoptions!=NULL);
string vers="version_"+obj->getStr("version");
string platform = obj->getStr("platform"); // should be 'nxosacl'
QString s;
QStringList logLevels;
QStringList logLevelMapping;
logLevelMapping.push_back("");
logLevelMapping.push_back("");
/* filling pop-down menu and pushing the same strings to the mapping
* list at the same time so we could use translation
*/
s=QObject::tr("0 - System Unusable");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("0");
s=QObject::tr("1 - Take Immediate Action");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("1");
s=QObject::tr("2 - Critical Condition");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("2");
s=QObject::tr("3 - Error Message");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("3");
s=QObject::tr("4 - Warning Message");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("4");
s=QObject::tr("5 - Normal but significant condition");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("5");
s=QObject::tr("6 - Informational");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("6");
s=QObject::tr("7 - Debug Message");
logLevels.push_back(s);
logLevelMapping.push_back(s);
logLevelMapping.push_back("7");
/* do not need to translate syslog facilities, but will use the same
* method just in case */
QStringList syslogFacilities;
QStringList syslogFacilityMapping;
syslogFacilities.push_back("");
syslogFacilityMapping.push_back("");
syslogFacilityMapping.push_back("");
syslogFacilities.push_back("LOCAL0");
syslogFacilityMapping.push_back("LOCAL0");
syslogFacilityMapping.push_back("16");
syslogFacilities.push_back("LOCAL1");
syslogFacilityMapping.push_back("LOCAL1");
syslogFacilityMapping.push_back("17");
syslogFacilities.push_back("LOCAL2");
syslogFacilityMapping.push_back("LOCAL2");
syslogFacilityMapping.push_back("18");
syslogFacilities.push_back("LOCAL3");
syslogFacilityMapping.push_back("LOCAL3");
syslogFacilityMapping.push_back("19");
syslogFacilities.push_back("LOCAL4");
syslogFacilityMapping.push_back("LOCAL4");
syslogFacilityMapping.push_back("20");
syslogFacilities.push_back("LOCAL5");
syslogFacilityMapping.push_back("LOCAL5");
syslogFacilityMapping.push_back("21");
syslogFacilities.push_back("LOCAL6");
syslogFacilityMapping.push_back("LOCAL6");
syslogFacilityMapping.push_back("22");
syslogFacilities.push_back("LOCAL7");
syslogFacilityMapping.push_back("LOCAL7");
syslogFacilityMapping.push_back("23");
bool f1=fwoptions->getBool("nxosacl_acl_basic");
bool f2=fwoptions->getBool("nxosacl_acl_no_clear");
bool f3=fwoptions->getBool("nxosacl_acl_substitution");
bool f4=fwoptions->getBool("nxosacl_add_clear_statements");
/*
* If none of the new nxosacl_acl_* options is set and old nxosacl_add_clear_statements
* option is true, set nxosacl_acl_basic to true.
*
* If old option nxosacl_add_clear_statements iss false, set
* nxosacl_acl_no_clear to true
*/
if (!f1 && !f2 && !f3)
{
if ( f4 ) fwoptions->setBool("nxosacl_acl_basic",true);
else fwoptions->setBool("nxosacl_acl_no_clear",true);
}
Management *mgmt=(Firewall::cast(obj))->getManagementObject();
assert(mgmt!=NULL);
data.registerOption(m_dialog->ipv4before_2, fwoptions,
"ipv4_6_order",
QStringList() << tr("IPv4 before IPv6")
<< "ipv4_first"
<< tr("IPv6 before IPv4")
<< "ipv6_first"
);
/* Page "Compiler Options" */
data.registerOption( m_dialog->outputFileName, fwoptions,
"output_file" );
data.registerOption( m_dialog->nxosacl_acl_basic, fwoptions,
"nxosacl_acl_basic" );
data.registerOption( m_dialog->nxosacl_use_object_groups, fwoptions,
"nxosacl_use_object_groups" );
/*
data.registerOption( m_dialog->nxosacl_acl_alwaysNew, fwoptions,
"nxosacl_acl_always_new" );
*/
data.registerOption( m_dialog->nxosacl_acl_no_clear, fwoptions,
"nxosacl_acl_no_clear" );
data.registerOption( m_dialog->nxosacl_acl_substitution, fwoptions,
"nxosacl_acl_substitution" );
data.registerOption( m_dialog->nxosacl_acl_temp_addr, fwoptions,
"nxosacl_acl_temp_addr" );
data.registerOption( m_dialog->nxosacl_include_comments, fwoptions,
"nxosacl_include_comments" );
data.registerOption( m_dialog->nxosacl_use_acl_remarks, fwoptions,
"nxosacl_use_acl_remarks" );
data.registerOption( m_dialog->nxosacl_regroup_commands, fwoptions,
"nxosacl_regroup_commands" );
data.registerOption( m_dialog->nxosacl_check_shadowing, fwoptions,
"check_shading" );
data.registerOption( m_dialog->nxosacl_ignore_empty_groups, fwoptions,
"ignore_empty_groups" );
data.registerOption( m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh" );
data.registerOption( m_dialog->mgmt_addr, fwoptions, "mgmt_addr" );
/* page Installer */
data.registerOption( m_dialog->user, fwoptions, "admUser");
data.registerOption( m_dialog->altAddress, fwoptions, "altAddress");
data.registerOption( m_dialog->sshArgs, fwoptions, "sshArgs");
data.registerOption( m_dialog->scpArgs, fwoptions, "scpArgs");
data.registerOption( m_dialog->use_scp, fwoptions, "use_scp");
data.registerOption( m_dialog->use_nxos_session, fwoptions, "use_nxos_session" );
data.registerOption( m_dialog->filesystem, fwoptions, "filesystem");
data.registerOption( m_dialog->filesystem, fwoptions, "firewall_dir");
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
m_dialog->installScript->setText(pis->getCommand().c_str() );
m_dialog->installScriptArgs->setText( pis->getArguments().c_str() );
/* page "Prolog/Epilog" */
data.registerOption( m_dialog->nxosacl_prolog_script, fwoptions,
"nxosacl_prolog_script" );
data.registerOption( m_dialog->nxosacl_epilog_script, fwoptions,
"nxosacl_epilog_script" );
/* page Logging */
data.registerOption(m_dialog->generate_logging_commands, fwoptions,
"nxosacl_generate_logging_commands");
data.registerOption(m_dialog->syslog_host, fwoptions, "nxosacl_syslog_host");
m_dialog->syslog_facility->clear();
m_dialog->syslog_facility->addItems( syslogFacilities );
data.registerOption( m_dialog->syslog_facility, fwoptions,
"nxosacl_syslog_facility", syslogFacilityMapping);
m_dialog->logging_trap_level->clear();
m_dialog->logging_trap_level->addItems(logLevels);
data.registerOption( m_dialog->logging_trap_level, fwoptions,
"nxosacl_logging_trap_level", logLevelMapping);
data.registerOption(m_dialog->logging_timestamp, fwoptions,
"nxosacl_logging_timestamp");
data.registerOption(m_dialog->logging_buffered, fwoptions,
"nxosacl_logging_buffered");
m_dialog->logging_buffered_level->clear();
m_dialog->logging_buffered_level->addItems(logLevels);
data.registerOption( m_dialog->logging_buffered_level, fwoptions,
"nxosacl_logging_buffered_level", logLevelMapping);
data.registerOption(m_dialog->logging_console, fwoptions,
"nxosacl_logging_console");
m_dialog->logging_console_level->clear();
m_dialog->logging_console_level->addItems(logLevels);
data.registerOption( m_dialog->logging_console_level,fwoptions,
"nxosacl_logging_console_level", logLevelMapping);
data.loadAll();
scriptACLModeChanged();
toggleGenerateLogging();
m_dialog->tabWidget->setCurrentIndex(0);
}
/*
* store all data in the object
*/
void nxosaclAdvancedDialog::accept()
{
ProjectPanel *project = mw->activeProject();
std::auto_ptr<FWCmdChange> cmd( new FWCmdChange(project, obj));
// new_state is a copy of the fw object
FWObject* new_state = cmd->getNewState();
FWOptions* options = Firewall::cast(new_state)->getOptionsObject();
assert(options!=NULL);
Management *mgmt = (Firewall::cast(new_state))->getManagementObject();
assert(mgmt!=NULL);
data.saveAll(options);
const InetAddr *mgmt_addr = Firewall::cast(obj)->getManagementAddress();
if (mgmt_addr)
mgmt->setAddress(*mgmt_addr);
PolicyInstallScript *pis = mgmt->getPolicyInstallScript();
pis->setCommand( m_dialog->installScript->text().toLatin1().constData() );
pis->setArguments( m_dialog->installScriptArgs->text().toLatin1().constData() );
if (!cmd->getOldState()->cmp(new_state, true))
project->undoStack->push(cmd.release());
QDialog::accept();
}
void nxosaclAdvancedDialog::reject()
{
QDialog::reject();
}
void nxosaclAdvancedDialog::editProlog()
{
SimpleTextEditor edt(this,
m_dialog->nxosacl_prolog_script->toPlainText(),
true, tr( "Script Editor" ) );
if ( edt.exec() == QDialog::Accepted )
m_dialog->nxosacl_prolog_script->setText( edt.text() );
}
void nxosaclAdvancedDialog::editEpilog()
{
SimpleTextEditor edt(this,
m_dialog->nxosacl_epilog_script->toPlainText(),
true, tr( "Script Editor" ) );
if ( edt.exec() == QDialog::Accepted )
m_dialog->nxosacl_epilog_script->setText( edt.text() );
}
void nxosaclAdvancedDialog::scriptACLModeChanged()
{
m_dialog->nxosacl_acl_temp_lbl->setEnabled(
m_dialog->nxosacl_acl_substitution->isChecked());
m_dialog->nxosacl_acl_temp_addr->setEnabled(
m_dialog->nxosacl_acl_substitution->isChecked());
}
void nxosaclAdvancedDialog::toggleGenerateLogging()
{
m_dialog->syslog_controls->setEnabled(
m_dialog->generate_logging_commands->isChecked());
m_dialog->other_logging_controls->setEnabled(
m_dialog->generate_logging_commands->isChecked());
}

72
src/libgui/nxosaclAdvancedDialog.h Normal file
View File

@ -0,0 +1,72 @@
/*
Firewall Builder
Copyright (C) 2004 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __NXOSACLADVANCEDDIALOG_H_
#define __NXOSACLADVANCEDDIALOG_H_
#include <ui_nxosacladvanceddialog_q.h>
#include "DialogData.h"
#include <QDialog>
#include <string>
class QWidget;
class QSpinBox;
class QComboBox;
class QCheckBox;
class QProcess;
namespace libfwbuilder {
class FWObject;
};
class nxosaclAdvancedDialog : public QDialog
{
Q_OBJECT
libfwbuilder::FWObject *obj;
DialogData data;
Ui::nxosaclAdvancedDialog_q *m_dialog;
public:
nxosaclAdvancedDialog(QWidget *parent,libfwbuilder::FWObject *o);
~nxosaclAdvancedDialog();
protected slots:
virtual void accept();
virtual void reject();
virtual void editProlog();
virtual void editEpilog();
virtual void scriptACLModeChanged();
virtual void toggleGenerateLogging();
};
#endif // __NXOSACLADVANCEDDIALOG_H

1431
src/libgui/nxosacladvanceddialog_q.ui Normal file
View File

@ -0,0 +1,1431 @@
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>nxosaclAdvancedDialog_q</class>
<widget class="QDialog" name="nxosaclAdvancedDialog_q">
<property name="windowModality">
<enum>Qt::WindowModal</enum>
</property>
<property name="enabled">
<bool>true</bool>
</property>
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>743</width>
<height>600</height>
</rect>
</property>
<property name="windowTitle">
<string>NX-OS ACL Firewall Settings</string>
</property>
<property name="sizeGripEnabled">
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout_5">
<item row="0" column="0">
<widget class="QTabWidget" name="tabWidget">
<property name="currentIndex">
<number>0</number>
</property>
<widget class="QWidget" name="compiler_tab">
<attribute name="title">
<string>Compiler Options</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_9">
<item row="0" column="0">
<widget class="QLabel" name="textLabel1_5">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Output file name (if left blank, the file name is constructed of the firewall object name and extension &quot;.fw&quot;)</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="outputFileName">
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>32767</width>
<height>22</height>
</size>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QGroupBox" name="groupBox">
<property name="enabled">
<bool>false</bool>
</property>
<property name="title">
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_4">
<property name="verticalSpacing">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QRadioButton" name="separate_acls_for_interfaces">
<property name="toolTip">
<string>Compiler creates multiple access lists from the same policy,
two for each interface: one for inbound and another for
outbound. If the policy is written in a such way that no rule
can possibly be associated with an interface, this interface
gets no access list at all. Also, interfaces marked as
&quot;unprotected&quot; never get access list regardless of how the policy
rules are designed.
</string>
</property>
<property name="text">
<string>Generate separate access list for each interface</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QRadioButton" name="one_acl_for_all_interfaces">
<property name="toolTip">
<string>Compiler creates one access list and assigns it to all
interfaces.
</string>
</property>
<property name="text">
<string>Create one access list and attach it to all interfaces</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="2" column="0" colspan="2">
<widget class="QGroupBox" name="frame114">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<string>Policy Compiler Options</string>
</property>
<property name="flat">
<bool>false</bool>
</property>
<property name="checkable">
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout_6">
<item row="0" column="0">
<widget class="QCheckBox" name="nxosacl_ignore_empty_groups">
<property name="toolTip">
<string>If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works!</string>
</property>
<property name="text">
<string>Ignore empty groups in rules</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="nxosacl_check_shadowing">
<property name="toolTip">
<string>Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule.</string>
</property>
<property name="text">
<string>Detect rule shadowing in the policy</string>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QCheckBox" name="nxosacl_use_object_groups">
<property name="text">
<string>Use object-group statements (requires NX-OS v12.4(20)T and later)</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="3" column="0" colspan="2">
<widget class="QCheckBox" name="mgmt_ssh">
<property name="text">
<string>Always permit ssh access from the management workstation with this address:</string>
</property>
<property name="checkable">
<bool>true</bool>
</property>
<property name="checked">
<bool>false</bool>
</property>
</widget>
</item>
<item row="4" column="0">
<widget class="QLineEdit" name="mgmt_addr">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>32767</width>
<height>22</height>
</size>
</property>
</widget>
</item>
<item row="4" column="1">
<spacer name="horizontalSpacer_2">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>328</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="5" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>170</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="script_options_tab">
<attribute name="title">
<string>Script Options</string>
</attribute>
<layout class="QGridLayout">
<property name="leftMargin">
<number>20</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>20</number>
</property>
<property name="bottomMargin">
<number>20</number>
</property>
<item row="1" column="0">
<widget class="QGroupBox" name="frame170">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Expanding">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_7">
<property name="verticalSpacing">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="nxosacl_include_comments">
<property name="toolTip">
<string>Insert comments into generated NX-OSACL configuration file</string>
</property>
<property name="text">
<string>Comment the code</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="nxosacl_use_acl_remarks">
<property name="toolTip">
<string>Insert comments into generated NX-OSACL configuration file</string>
</property>
<property name="text">
<string>Use ACL remarks</string>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QCheckBox" name="nxosacl_regroup_commands">
<property name="toolTip">
<string>Group NX-OSACL commands in the script so that similar commands appear next to each other, just like NX-OSACL does it when you use 'show config'</string>
</property>
<property name="text">
<string>Group similar commands together</string>
</property>
</widget>
</item>
<item row="3" column="0">
<spacer name="verticalSpacer">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>70</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</item>
<item row="0" column="0">
<widget class="QGroupBox" name="buttonGroup10">
<property name="sizePolicy">
<sizepolicy hsizetype="Preferred" vsizetype="Expanding">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<string/>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<property name="spacing">
<number>6</number>
</property>
<item row="0" column="1">
<widget class="QLabel" name="textLabel2_3">
<property name="text">
<string>Clear all access lists then install new ones. This method may interrupt access to the firewall if you manage it remotely via IPSEC tunnel. This is the way access lists were generated in older versions of Firewall Builder for NX-OSACL.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
<property name="buddy">
<cstring>nxosacl_acl_basic</cstring>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QLabel" name="textLabel3">
<property name="focusPolicy">
<enum>Qt::ClickFocus</enum>
</property>
<property name="text">
<string>Do not clear access lists and object group, just generate NX-OSACL commands for the new ones. Use this option if you have your own policy installation scripts.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
<property name="buddy">
<cstring>nxosacl_acl_no_clear</cstring>
</property>
</widget>
</item>
<item row="3" column="1">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1">
<widget class="QLabel" name="textLabel4">
<property name="text">
<string>&quot;Safety net&quot; method:
First, create temporary access list to permit connections from the management subnet specified below to the firewall and assign it to outside interface. This temporary ACL helps maintain session between management station and the firewall while access lists are reloaded in case connection comes over IPSEC tunnel. Then clear permanent lists, recreate them and assign to interfaces. This method ensures that remote access to the firewall is maintained without interruption at a cost of slightly larger configuration.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
<property name="buddy">
<cstring>nxosacl_acl_substitution</cstring>
</property>
</widget>
</item>
<item row="4" column="0" colspan="2">
<widget class="QFrame" name="frame5">
<property name="frameShape">
<enum>QFrame::StyledPanel</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>11</number>
</property>
<property name="topMargin">
<number>11</number>
</property>
<property name="rightMargin">
<number>11</number>
</property>
<property name="bottomMargin">
<number>11</number>
</property>
<item row="0" column="0" colspan="3">
<widget class="QLabel" name="nxosacl_acl_temp_lbl">
<property name="text">
<string>Temporary access list should permit access from this address or subnet (use prefix notation to specify subnet, e.g. 192.0.2.0/24):</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="2">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>120</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="1">
<widget class="QLineEdit" name="nxosacl_acl_temp_addr">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>200</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>120</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item row="1" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>110</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</item>
<item row="0" column="0">
<widget class="QRadioButton" name="nxosacl_acl_basic">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string/>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QRadioButton" name="nxosacl_acl_no_clear">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string/>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QRadioButton" name="nxosacl_acl_substitution">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string/>
</property>
</widget>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="installer_tab">
<attribute name="title">
<string>Installer</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_8">
<property name="leftMargin">
<number>4</number>
</property>
<property name="topMargin">
<number>4</number>
</property>
<property name="rightMargin">
<number>4</number>
</property>
<property name="bottomMargin">
<number>4</number>
</property>
<item row="4" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="SCPgroupBox">
<property name="title">
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_3">
<item row="0" column="0" colspan="2">
<widget class="QLabel" name="label">
<property name="text">
<string>Instead of running generated configuration on the router line by line, installer can use scp to copy the file and then &quot;copy file running-config&quot; command to activate it. Ssh v2 and scp servers should be configured on the router for this to work. This method works for NX-OS v12.4 or later and is much faster than running configuration line by line.</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QCheckBox" name="use_scp">
<property name="text">
<string>Copy generated configuration file to the router using scp</string>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2">
<widget class="QLabel" name="label_3">
<property name="text">
<string>File system on the router where configuration file should be saved if it is copied with scp. Examples: &quot;nvram:&quot;, &quot;slot0:&quot;. Should end with a colon &quot;:&quot;. If this input field is left blank, installer uses &quot;volatile:&quot;:</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="3" column="0">
<widget class="QLineEdit" name="filesystem"/>
</item>
<item row="3" column="1">
<spacer name="horizontalSpacer">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>398</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</item>
<item row="2" column="0">
<widget class="QGroupBox" name="groupBox1">
<property name="title">
<string>External install script</string>
</property>
<layout class="QGridLayout" name="gridLayout_2">
<property name="verticalSpacing">
<number>6</number>
</property>
<item row="0" column="0">
<layout class="QHBoxLayout" name="horizontalLayout">
<item>
<widget class="QLabel" name="textLabel5_2">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Policy install script (using built-in installer if this field is blank):</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScript">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
<item row="1" column="0">
<layout class="QHBoxLayout" name="horizontalLayout_2">
<item>
<widget class="QLabel" name="textLabel6_2">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Command line options for the script:</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScriptArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
</item>
<item row="0" column="0">
<widget class="QGroupBox" name="groupBox2">
<property name="title">
<string>Built-in installer</string>
</property>
<layout class="QGridLayout" name="gridLayout_125">
<item row="0" column="0">
<widget class="QLabel" name="textLabel1_2">
<property name="text">
<string>User name used to authenticate to the firewall (leave this empty if you use putty session):</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="user">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="textLabel1_3">
<property name="text">
<string>Alternative name or address used to communicate with the firewall (also putty session name on Windows)</string>
</property>
<property name="alignment">
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QLineEdit" name="altAddress">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2">
<layout class="QHBoxLayout">
<item>
<widget class="QLabel" name="textLabel1_7">
<property name="text">
<string>Additional command line parameters for ssh</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="sshArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
<item row="3" column="0" colspan="2">
<layout class="QHBoxLayout" name="_2">
<item>
<widget class="QLabel" name="textLabel1_8">
<property name="text">
<string>Additional command line parameters for scp</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="scpArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>300</width>
<height>0</height>
</size>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</widget>
</item>
<item row="3" column="0">
<widget class="QCheckBox" name="use_nxos_session">
<property name="text">
<string>Use NXOS Session Manager</string>
</property>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="prolog_epilog_tab">
<attribute name="title">
<string>Prolog/Epilog</string>
</attribute>
<layout class="QGridLayout">
<property name="leftMargin">
<number>20</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>20</number>
</property>
<property name="bottomMargin">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QGroupBox" name="frame146">
<property name="title">
<string/>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>6</number>
</property>
<property name="topMargin">
<number>6</number>
</property>
<property name="rightMargin">
<number>6</number>
</property>
<property name="bottomMargin">
<number>6</number>
</property>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1">
<widget class="QPushButton" name="edit_prolog_button">
<property name="text">
<string>Edit</string>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="textLabel2">
<property name="text">
<string>The following commands will be added verbatim on top of generated configuration</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QTextEdit" name="nxosacl_prolog_script"/>
</item>
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="frame147">
<property name="title">
<string/>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>6</number>
</property>
<property name="topMargin">
<number>6</number>
</property>
<property name="rightMargin">
<number>6</number>
</property>
<property name="bottomMargin">
<number>6</number>
</property>
<item row="2" column="1">
<widget class="QPushButton" name="edit_epilog_button">
<property name="text">
<string>Edit</string>
</property>
</widget>
</item>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0" colspan="2">
<widget class="QTextEdit" name="nxosacl_epilog_script"/>
</item>
<item row="0" column="0" colspan="2">
<widget class="QLabel" name="textLabel2_2">
<property name="text">
<string>The following commands will be added verbatim after generated configuration</string>
</property>
<property name="textFormat">
<enum>Qt::RichText</enum>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
<property name="margin">
<number>0</number>
</property>
</widget>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="logging_tab">
<attribute name="title">
<string>Logging</string>
</attribute>
<layout class="QGridLayout">
<item row="0" column="0">
<widget class="QCheckBox" name="generate_logging_commands">
<property name="text">
<string>Generate logging commands</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="syslog_controls">
<property name="title">
<string>Syslog</string>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<item row="0" column="1" colspan="2">
<widget class="QLineEdit" name="syslog_host"/>
</item>
<item row="0" column="0">
<widget class="QLabel" name="label599">
<property name="text">
<string>Syslog host (name or IP address):</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QLabel" name="label598">
<property name="text">
<string>syslog facility:</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="3" column="0">
<widget class="QLabel" name="label640">
<property name="text">
<string>syslog level ('logging trap'):</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="1" colspan="2">
<widget class="QComboBox" name="syslog_facility"/>
</item>
<item row="3" column="1" colspan="2">
<widget class="QComboBox" name="logging_trap_level"/>
</item>
<item row="5" column="0" colspan="3">
<widget class="Line" name="hseparator39">
<property name="frameShape">
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="7" column="0" colspan="3">
<widget class="Line" name="hseparator40">
<property name="frameShape">
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="8" column="0" colspan="3">
<widget class="QLabel" name="label641">
<property name="text">
<string>The logging timestamp command requires that the clock command be set.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="9" column="0" colspan="3">
<widget class="QCheckBox" name="logging_timestamp">
<property name="text">
<string>Enable logging timestamps on syslog file</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="2" column="0">
<widget class="QGroupBox" name="other_logging_controls">
<property name="title">
<string>Other logging destinations and levels:</string>
</property>
<layout class="QGridLayout">
<property name="leftMargin">
<number>12</number>
</property>
<property name="topMargin">
<number>12</number>
</property>
<property name="rightMargin">
<number>12</number>
</property>
<property name="bottomMargin">
<number>12</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="logging_buffered">
<property name="text">
<string>Internal buffer</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="logging_console">
<property name="text">
<string>Console</string>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QComboBox" name="logging_buffered_level"/>
</item>
<item row="1" column="1">
<widget class="QComboBox" name="logging_console_level"/>
</item>
</layout>
</widget>
</item>
<item row="3" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>675</width>
<height>121</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
<widget class="QWidget" name="ipv6_tab">
<attribute name="title">
<string>IPv6</string>
</attribute>
<layout class="QGridLayout">
<item row="1" column="0">
<widget class="QLabel" name="label_2">
<property name="text">
<string>The order in which ipv4 and ipv6 rules should be generated:</string>
</property>
</widget>
</item>
<item row="1" column="1">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="0">
<widget class="QComboBox" name="ipv4before_2">
<item>
<property name="text">
<string>IPv4 before IPv6</string>
</property>
</item>
<item>
<property name="text">
<string>IPv6 before IPv4</string>
</property>
</item>
</widget>
</item>
<item row="3" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
<item row="1" column="0">
<layout class="QHBoxLayout">
<item>
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item>
<layout class="QHBoxLayout">
<item>
<widget class="QPushButton" name="ok_button">
<property name="text">
<string>OK</string>
</property>
</widget>
</item>
<item>
<widget class="QLabel" name="label583">
<property name="alignment">
<set>Qt::AlignCenter</set>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="cancel_button">
<property name="text">
<string>Cancel</string>
</property>
</widget>
</item>
</layout>
</item>
</layout>
</item>
</layout>
</widget>
<tabstops>
<tabstop>outputFileName</tabstop>
<tabstop>separate_acls_for_interfaces</tabstop>
<tabstop>one_acl_for_all_interfaces</tabstop>
<tabstop>nxosacl_ignore_empty_groups</tabstop>
<tabstop>nxosacl_check_shadowing</tabstop>
<tabstop>mgmt_ssh</tabstop>
<tabstop>mgmt_addr</tabstop>
<tabstop>nxosacl_acl_basic</tabstop>
<tabstop>nxosacl_acl_no_clear</tabstop>
<tabstop>nxosacl_acl_substitution</tabstop>
<tabstop>nxosacl_acl_temp_addr</tabstop>
<tabstop>nxosacl_include_comments</tabstop>
<tabstop>nxosacl_use_acl_remarks</tabstop>
<tabstop>nxosacl_regroup_commands</tabstop>
<tabstop>user</tabstop>
<tabstop>altAddress</tabstop>
<tabstop>sshArgs</tabstop>
<tabstop>scpArgs</tabstop>
<tabstop>use_scp</tabstop>
<tabstop>filesystem</tabstop>
<tabstop>installScript</tabstop>
<tabstop>installScriptArgs</tabstop>
<tabstop>nxosacl_prolog_script</tabstop>
<tabstop>edit_prolog_button</tabstop>
<tabstop>nxosacl_epilog_script</tabstop>
<tabstop>edit_epilog_button</tabstop>
<tabstop>generate_logging_commands</tabstop>
<tabstop>syslog_host</tabstop>
<tabstop>syslog_facility</tabstop>
<tabstop>logging_trap_level</tabstop>
<tabstop>logging_timestamp</tabstop>
<tabstop>logging_buffered</tabstop>
<tabstop>logging_console</tabstop>
<tabstop>logging_buffered_level</tabstop>
<tabstop>logging_console_level</tabstop>
<tabstop>ipv4before_2</tabstop>
<tabstop>ok_button</tabstop>
<tabstop>cancel_button</tabstop>
<tabstop>textLabel3</tabstop>
<tabstop>tabWidget</tabstop>
</tabstops>
<resources/>
<connections>
<connection>
<sender>ok_button</sender>
<signal>clicked()</signal>
<receiver>nxosaclAdvancedDialog_q</receiver>
<slot>accept()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>cancel_button</sender>
<signal>clicked()</signal>
<receiver>nxosaclAdvancedDialog_q</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>edit_prolog_button</sender>
<signal>clicked()</signal>
<receiver>nxosaclAdvancedDialog_q</receiver>
<slot>editProlog()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>edit_epilog_button</sender>
<signal>clicked()</signal>
<receiver>nxosaclAdvancedDialog_q</receiver>
<slot>editEpilog()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>nxosacl_acl_basic</sender>
<signal>clicked()</signal>
<receiver>nxosaclAdvancedDialog_q</receiver>
<slot>scriptACLModeChanged()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>nxosacl_acl_substitution</sender>
<signal>clicked()</signal>
<receiver>nxosaclAdvancedDialog_q</receiver>
<slot>scriptACLModeChanged()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>generate_logging_commands</sender>
<signal>toggled(bool)</signal>
<receiver>nxosaclAdvancedDialog_q</receiver>
<slot>toggleGenerateLogging()</slot>
<hints>
<hint type="sourcelabel">
<x>359</x>
<y>55</y>
</hint>
<hint type="destinationlabel">
<x>359</x>
<y>359</y>
</hint>
</hints>
</connection>
</connections>
</ui>

143
src/libgui/nxosadvanceddialog_q.ui Normal file
View File

@ -0,0 +1,143 @@
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>nxosAdvancedDialog_q</class>
<widget class="QDialog" name="nxosAdvancedDialog_q">
<property name="windowModality">
<enum>Qt::WindowModal</enum>
</property>
<property name="enabled">
<bool>true</bool>
</property>
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>597</width>
<height>188</height>
</rect>
</property>
<property name="windowTitle">
<string>NX-OS Advanced Configuration Options</string>
</property>
<layout class="QGridLayout">
<item row="1" column="0">
<layout class="QHBoxLayout">
<item>
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>151</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item>
<widget class="QPushButton" name="ok_button">
<property name="text">
<string>OK</string>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="cancel_button">
<property name="text">
<string>Cancel</string>
</property>
</widget>
</item>
</layout>
</item>
<item row="0" column="0">
<widget class="QTabWidget" name="tabWidget">
<widget class="QWidget" name="TabPage">
<attribute name="title">
<string>General</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<number>0</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="nxos_set_host_name">
<property name="text">
<string>Set router name using object's name</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="nxos_ip_address">
<property name="text">
<string>Generate commands to configure addresses for interfaces</string>
</property>
</widget>
</item>
<item row="2" column="0">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
</layout>
</widget>
<layoutdefault spacing="6" margin="11"/>
<tabstops>
<tabstop>nxos_set_host_name</tabstop>
<tabstop>tabWidget</tabstop>
<tabstop>nxos_ip_address</tabstop>
<tabstop>ok_button</tabstop>
<tabstop>cancel_button</tabstop>
</tabstops>
<resources/>
<connections>
<connection>
<sender>ok_button</sender>
<signal>clicked()</signal>
<receiver>nxosAdvancedDialog_q</receiver>
<slot>accept()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>cancel_button</sender>
<signal>clicked()</signal>
<receiver>nxosAdvancedDialog_q</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
</connections>
</ui>

1
src/libgui/platforms.cpp
View File

@ -439,6 +439,7 @@ void getVersionsForPlatform(const QString &platform, std::list<QStringPair> &res
// corresponding resource .xml file
if (platform=="pix" ||
platform=="fwsm" ||
platform=="nxosacl" ||
platform=="iosacl" ||
platform=="procurve_acl")
{

2
src/libgui/ssh_wrappers.cpp
View File

@ -374,7 +374,7 @@ void ssh_wrapper( int argc, char *argv[] )
struct timeval tv;
int retval;
#define BUFFSIZE 512
#define BUFFSIZE 1024
#ifdef DEBUG_INSTALLER
int debug_file = open("installer.dbg",O_CREAT|O_WRONLY);

191
src/nxosacl/nxosacl.cpp Normal file
View File

@ -0,0 +1,191 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include <fstream>
#include <iostream>
#include <sstream>
#include <map>
#include <algorithm>
#include <functional>
#ifdef _WIN32
# include <direct.h>
#else
# include <unistd.h>
#endif
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <ctype.h>
#include <assert.h>
#include <cstring>
#include "CompilerDriver_nxosacl.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Tools.h"
#include "fwbuilder/Constants.h"
#include <QCoreApplication>
#include <QStringList>
#include <QTextCodec>
#include "../common/init.cpp"
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
FWObjectDatabase *objdb = NULL;
class UpgradePredicate: public XMLTools::UpgradePredicate
{
public:
virtual bool operator()(const string &msg) const
{
msg.size(); // to make compiler happy about unused parameter
cout << "Data file has been created in the old version of Firewall Builder.\nLoad it in the GUI to convert it to the new version." << endl;
return false;
}
};
void usage(const char *name)
{
cout << "Firewall Builder: policy compiler for Cisco NX-OS ACL" << endl;
cout << "Copyright 2007-2009 NetCitadel, LLC" << endl;
cout << "Version " << VERSION << endl;
cout << "Usage: " << name << " [-tvV] [-f filename.xml] [-d destdir] [-o output.fw] firewall_object_name" << endl;
}
int main(int argc, char **argv)
{
QCoreApplication app(argc, argv, false);
// compilers always write file names into manifest in Utf8
QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8"));
QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8"));
QStringList args = app.arguments();
if (args.size()<=1)
{
usage(argv[0]);
exit(1);
}
QString last_arg;
string filename;
for (int idx=0; idx < args.size(); idx++)
{
QString arg = args.at(idx);
last_arg = arg;
if (arg == "-V")
{
usage(argv[0]);
exit(0);
}
if (arg == "-f")
{
idx++;
filename = string(args.at(idx).toLatin1().constData());
continue;
}
}
if (filename.empty())
{
usage(argv[0]);
exit(1);
}
init(argv);
try
{
new Resources(Constants::getResourcesFilePath());
/* create database */
objdb = new FWObjectDatabase();
/* load the data file */
UpgradePredicate upgrade_predicate;
cout << " *** Loading data ...";
objdb->setReadOnly( false );
objdb->load( filename, &upgrade_predicate, Constants::getDTDDirectory());
objdb->setFileName(filename);
objdb->reIndex();
cout << " done\n";
FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_nxosacl *driver = new CompilerDriver_nxosacl(objdb);
if (!driver->prepare(args))
{
usage(argv[0]);
exit(1);
}
driver->compile();
//int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
int ret = driver->getStatus();
delete driver;
delete objdb;
return ret;
} catch(libfwbuilder::FWException &ex)
{
cerr << ex.toString() << endl;
return 1;
} catch (std::string s)
{
cerr << s << endl;
return 1;
} catch (std::exception ex)
{
cerr << "exception: " << ex.what() << endl;
return 1;
} catch (...)
{
cerr << "Unsupported exception";
return 1;
}
return 0;
}

34
src/nxosacl/nxosacl.pro Normal file
View File

@ -0,0 +1,34 @@
#-*- mode: makefile; tab-width: 4; -*-
#
include(../../qmake.inc)
QT -= gui
#
#
# PACKAGE = fwbuilder-nxosacl-$$FWB_VERSION
#
# QMAKE_CXXFLAGS_DEBUG += -DPACKAGE="\"$$PACKAGE\""
# QMAKE_CXXFLAGS_RELEASE += -DPACKAGE="\"$$PACKAGE\""
SOURCES = nxosacl.cpp
HEADERS = ../../config.h
!win32 {
QMAKE_COPY = ../../install.sh -m 0755 -s
}
win32:CONFIG += console
INCLUDEPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
LIBS += $$PRE_TARGETDEPS $$LIBS
TARGET = fwb_nxosacl

33
src/res/configlets/nxos/installer_commands_post_config Normal file
View File

@ -0,0 +1,33 @@
## -*- mode: shell-script; -*-
##
## Lines that start with "##" will be removed before this code is
## added to the generated script.
##
## These are commands built-in policy installer runs on the firewall
##
## Variables:
##
## {{$rbtimeout}} -- rollback timeout
## {{$test}} -- doing installation in test mode
##
##{{if version_lt_124}}
##{{if cancel_rollback}}
##reload cancel
##{{endif}}
##{{endif}}
##
##
##{{if version_ge_124}}
##{{if cancel_rollback}}
##config term
##no event manager applet fwbuilder-rollback
##exit
##{{endif}}
##{{endif}}
{{if run}}
##wr mem
{{endif}}

37
src/res/configlets/nxos/installer_commands_pre_config Normal file
View File

@ -0,0 +1,37 @@
## -*- mode: shell-script; -*-
##
## Lines that start with "##" will be removed before this code is
## added to the generated script.
##
## These are commands built-in policy installer runs on the firewall
##
## Variables:
##
## {{$rbtimeout}} -- rollback timeout (min)
## {{$rbtimeout_sec}} -- rollback timeout (sec)
## {{$test}} -- doing installation in test mode
##
terminal width 256
terminal length 0
##{{if schedule_rollback}}
##
##{{if version_lt_123}}
##reload in {{$rbtimeout}}
##{{endif}}
##
##{{if version_ge_124}}
##config term
##event manager applet fwbuilder-rollback
##event timer countdown name rollback-countdown time {{$rbtimeout_sec}}
##action 1.0 cli command "enable"
##action 1.1 cli command "configure replace nvram:startup-config force"
##exit
##exit
##{{endif}}
##
##{{endif}}
config term

62
src/res/configlets/nxos/installer_commands_reg_user Normal file
View File

@ -0,0 +1,62 @@
## -*- mode: shell-script; -*-
##
## Lines that start with "##" will be removed before this code is
## added to the generated script. Regular shell comments can be added
## using single "#", these will appear in the script.
##
##
## These are commands built-in policy installer runs on the firewall if
## installation is performed using regular user account for authentication
##
## Variables:
##
## {{$fwbprompt}} -- "magic" prompt that installer uses to detect when it is logged in
## {{$fwdir}} -- directory on the firewall ("flash:" or "nvram:" or similar)
## {{$fwscript}} -- script name on the firewall
## {{$rbtimeout}} -- rollback timeout
## {{$rbtimeout_sec}} -- rollback timeout (sec)
##
## {{$firewall_name}} -- the name of the firewall object
##
{{if using_scp}}
## scp, no session
{{if not_using_nxos_session}}
copy {{$fwdir}}{{$fwscript}} running-config
{{endif}}
## scp and session
{{if using_nxos_session}}
del {{$fwdir}}/{{$fwscript}}.run
config session fwb_{{$firewall_name}}
echo "config term" > {{$fwdir}}/{{$fwscript}}.run
show file {{$fwdir}}/{{$fwscript}} >> {{$fwdir}}/{{$fwscript}}.run
run-script {{$fwdir}}/{{$fwscript}}.run >> {{$fwdir}}/{{$fwscript}}
commit
del {{$fwdir}}/{{$fwscript}}
del {{$fwdir}}/{{$fwscript}}.run
{{endif}}
exit
{{endif}}
{{if not_using_scp}}
config term
{{if using_nxos_session}}
config session fwb_{{$firewall_name}}
{{endif}}
{{$fwbuilder_generated_configuration_lines}}
{{if using_nxos_session}}
commit
{{endif}}
exit
{{endif}}

50
src/res/configlets/nxos/safety_net_acl Normal file
View File

@ -0,0 +1,50 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/nxos/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
! temporary access list for "safety net install"
{{if ipv4}}
no ip access-list extended tmp_acl
ip access-list extended tmp_acl
permit ip {{$management_addr}} {{$management_netm}} any
deny ip any any
exit
interface {{$management_interface}}
no ip access-group in
no ip access-group out
ip access-group tmp_acl in
exit
{{endif}}
{{if ipv6}}
no ipv6 access-list tmp_acl
ipv6 access-list tmp_acl
{{if slash_notation}}
permit ipv6 {{$management_addr}} any
{{endif}}
{{if host_addr}}
permit ipv6 host {{$management_addr}} any
{{endif}}
permit icmp any any
deny ipv6 any any
exit
interface {{$management_interface}}
no ipv6 traffic-filter in
no ipv6 traffic-filter out
ipv6 traffic-filter tmp_acl in
exit
{{endif}}

42
src/res/configlets/nxos/script_skeleton Normal file
View File

@ -0,0 +1,42 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/nxos/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
{{$top_comment}}
{{$errors_and_warnings}}
!
! Prolog script:
!
{{$prolog_script}}
!
! End of prolog script:
!
{{$other_os_configuration_commands}}
{{$system_configuration_script}}
{{$policy_script}}
{{$nat_script}}
{{$routing_script}}
!
! Epilog script:
!
{{$epilog_script}}
! End of epilog script:
!

12
src/res/configlets/nxos/top_comment Normal file
View File

@ -0,0 +1,12 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_nxosacl v{{$version}}
!
! Generated {{$timestamp}} {{$tz}} by {{$user}}
!
! Compiled for {{$platform}} {{$fw_version}}
!
{{$manifest}}
!
{{$comment}}

2
src/res/objects_init.xml
View File

@ -108,6 +108,7 @@
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="nxosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
@ -116,6 +117,7 @@
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="nxosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>

2
src/res/objects_init.xml.in
View File

@ -108,6 +108,7 @@
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="nxosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
@ -116,6 +117,7 @@
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="nxosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>

64
src/res/os/nxos.xml Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0"?> <!-- -*- mode: xml; -*- -->
<FWBuilderResources>
<Target name="nxos">
<description>Cisco NX-OS</description>
<status>active</status>
<compiler>fwb_nxosacl</compiler>
<family>nxos</family>
<dialog>nxos</dialog>
<cluster_dialog>basic</cluster_dialog>
<options>
<user_can_change_install_dir>true</user_can_change_install_dir>
<default>
</default>
<activation>
<fwdir>volatile:</fwdir>
<fwdir_test>volatile:</fwdir_test>
</activation>
</options>
<capabilities>
<supports_routing>True</supports_routing>
<supports_metric>True</supports_metric>
<supports_routing_itf>True</supports_routing_itf>
<supports_advanced_interface_options>False</supports_advanced_interface_options>
<supports_cluster>True</supports_cluster>
</capabilities>
<protocols>
<failover>
<string>none,None</string>
</failover>
<state_sync>
<string>none,None</string>
</state_sync>
<none>
<needs_master>False</needs_master>
<no_ip_ok>True</no_ip_ok>
<manage_addresses>True</manage_addresses>
<dialog></dialog>
</none>
</protocols>
<interfaces>
<cluster>
</cluster>
<firewall>
<string>ethernet,Ethernet</string>
</firewall>
</interfaces>
<subinterfaces>
<ethernet>
<string>8021q,VLAN</string>
<string>unknown,Unknown</string>
</ethernet>
</subinterfaces>
</Target>
</FWBuilderResources>

188
src/res/platform/nxosacl.xml Normal file
View File

@ -0,0 +1,188 @@
<?xml version="1.0"?>
<FWBuilderResources>
<Target name="nxosacl">
<description>Cisco Router NX-OS ACL</description>
<status>active</status>
<group>Cisco</group>
<compiler>fwb_nxosacl</compiler>
<dialog>nxosacl</dialog>
<installer>fwb_inst_nxosacl</installer>
<diff>fwb_nxosacl_diff</diff>
<supported_os>nxos</supported_os>
<versions>4.2,5.0,5.1,5.2,6.0,6.1</versions>
<options>
<default>
<nxosacl_include_comments>true</nxosacl_include_comments>
<nxosacl_add_clear_statements>true</nxosacl_add_clear_statements>
<nxosacl_assume_fw_part_of_any>true</nxosacl_assume_fw_part_of_any>
</default>
<version_12.1>
<nxosacl_include_comments>true</nxosacl_include_comments>
<nxosacl_add_clear_statements>true</nxosacl_add_clear_statements>
<nxosacl_assume_fw_part_of_any>true</nxosacl_assume_fw_part_of_any>
<supports_mixed_service_groups>False</supports_mixed_service_groups>
<nxosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</nxosacl_commands>
</version_12.1>
<version_12.2>
<nxosacl_include_comments>true</nxosacl_include_comments>
<nxosacl_add_clear_statements>true</nxosacl_add_clear_statements>
<nxosacl_assume_fw_part_of_any>true</nxosacl_assume_fw_part_of_any>
<supports_mixed_service_groups>False</supports_mixed_service_groups>
<nxosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</nxosacl_commands>
</version_12.2>
<version_12.3>
<nxosacl_include_comments>true</nxosacl_include_comments>
<nxosacl_add_clear_statements>true</nxosacl_add_clear_statements>
<nxosacl_assume_fw_part_of_any>true</nxosacl_assume_fw_part_of_any>
<supports_mixed_service_groups>False</supports_mixed_service_groups>
<nxosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</nxosacl_commands>
</version_12.3>
<version_12.4>
<nxosacl_include_comments>true</nxosacl_include_comments>
<nxosacl_add_clear_statements>true</nxosacl_add_clear_statements>
<nxosacl_assume_fw_part_of_any>true</nxosacl_assume_fw_part_of_any>
<supports_mixed_service_groups>False</supports_mixed_service_groups>
<nxosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</nxosacl_commands>
</version_12.4>
</options>
<capabilities>
<negation_in_interface_policy>False</negation_in_interface_policy>
<negation_in_policy>False</negation_in_policy>
<negation_in_nat>False</negation_in_nat>
<logging_in_policy>True</logging_in_policy>
<options_in_policy>True</options_in_policy>
<supports_nat>False</supports_nat>
<actions_in_nat>False</actions_in_nat>
<inbound_interface_in_nat>False</inbound_interface_in_nat>
<outbound_interface_in_nat>False</outbound_interface_in_nat>
<supports_time>False</supports_time>
<supports_accounting>False</supports_accounting>
<security_levels>False</security_levels>
<network_zones>False</network_zones>
<unprotected_interfaces>True</unprotected_interfaces>
<supports_prolog_epilog>True</supports_prolog_epilog>
<supports_cluster>False</supports_cluster>
<install_only_on_primary>False</install_only_on_primary>
<actions>
<Accept>
<supported>True</supported>
<description>Accept</description>
<dialog_page>None</dialog_page>
</Accept>
<Deny>
<supported>True</supported>
<description>Deny</description>
<dialog_page>None</dialog_page>
</Deny>
<Reject>
<supported>False</supported>
<description>Reject</description>
<dialog_page>Reject</dialog_page>
</Reject>
<Accounting>
<supported>False</supported>
<description>Accounting</description>
<dialog_page>None</dialog_page>
</Accounting>
<Tag>
<supported>False</supported>
<description>Tag</description>
<dialog_page>None</dialog_page>
</Tag>
<Pipe>
<supported>False</supported>
<description>Pipe</description>
<dialog_page>None</dialog_page>
</Pipe>
<Classify>
<supported>False</supported>
<description>Classify</description>
<dialog_page>None</dialog_page>
</Classify>
<Custom>
<supported>False</supported>
<description>Custom</description>
<dialog_page>None</dialog_page>
</Custom>
<Branch>
<supported>False</supported>
<description>Branch</description>
<dialog_page>None</dialog_page>
</Branch>
<Route>
<supported>False</supported>
<description>Route</description>
<dialog_page>None</dialog_page>
</Route>
<Translate>
<supported>False</supported>
<description>Translate</description>
<dialog_page>None</dialog_page>
</Translate>
<NATBranch>
<supported>False</supported>
<description>Branch</description>
<dialog_page>None</dialog_page>
</NATBranch>
</actions>
</capabilities>
</Target>
</FWBuilderResources>

2
src/res/templates.xml
View File

@ -101,6 +101,7 @@
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="nxosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
@ -109,6 +110,7 @@
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="nxosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>

2
src/res/templates.xml.in
View File

@ -101,6 +101,7 @@
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="nxosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
@ -109,6 +110,7 @@
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="nxosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>

1
src/src.pro
View File

@ -23,6 +23,7 @@ SUBDIRS = libfwbuilder \
ipf \
ipfw \
cisco_lib \
nxosacl \
iosacl \
pix \
procurve_acl \