onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-06-24 01:49:36 +02:00
Code Issues Releases Wiki Activity

Feature: Fragmentation service objects

Browse Source
This commit is contained in:
Sirius Bakke
2015-03-09 15:27:23 +01:00
parent ea5dfca100
commit 8e456db713
3 changed files with 85 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/juniper_lib/PolicyCompiler_junosacl.cpp
View File

@@ -42,6 +42,7 @@
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h"
#include "compiler_lib/junosInterfaces.h"
@@ -281,6 +282,41 @@ bool PolicyCompiler_junosacl::splitTCPServiceWithFlags::processNext()
return true;
}
bool PolicyCompiler_junosacl::checkIPv4FragmentService::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementSrv *srv = rule->getSrv();
if (srv->size() > 1)
{
CustomService *fragment_srv = NULL;
for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Service *s=Service::cast(obj);
assert(s!=NULL);
CustomService *custom_srv = CustomService::cast(s);
if (custom_srv && (!custom_srv->getCodeForPlatform(compiler->myPlatformName()).substr(0, 15).compare("fragment-offset")) ) {
if (!fragment_srv) {
fragment_srv = custom_srv;
} else {
if (fragment_srv->getId() != custom_srv->getId())
compiler->abort(
rule,
"You have contradicting IPv4 fragmentation services in the same rule.");
}
}
}
}
tmp_queue.push_back(rule);
return true;
}
void PolicyCompiler_junosacl::compile()
{
@@ -323,6 +359,8 @@ void PolicyCompiler_junosacl::compile()
add( new eliminateDuplicatesInDST("eliminate duplicates in DST"));
add( new eliminateDuplicatesInSRV("eliminate duplicates in SRV"));
add( new checkIPv4FragmentService("Avoid contradiction IPv4 fragmentation services"));
//add( new ExpandMultipleAddressesInSrc(
// "expand objects with multiple addresses in SRC" ) );
//add( new ExpandMultipleAddressesInDst(
@@ -366,6 +404,8 @@ void PolicyCompiler_junosacl::compile()
add( new eliminateDuplicatesInDST( "eliminate duplicates in DST" ) );
add( new eliminateDuplicatesInSRV( "eliminate duplicates in SRV" ) );
add( new checkIPv4FragmentService("Avoid contradiction IPv4 fragmentation services"));
// TODO: fix processMultiAddressObjects
// add( new processMultiAddressObjectsInSrc(
// "process MultiAddress objects in Src") );

6
src/juniper_lib/PolicyCompiler_junosacl.h
View File

@@ -200,6 +200,12 @@ namespace fwcompiler {
*/
DECLARE_POLICY_RULE_PROCESSOR(splitTCPServiceWithFlags);
friend class PolicyCompiler_junosacl::splitTCPServiceWithFlags;
/**
* Avoid contradiction IPv4 fragmentation services
*/
DECLARE_POLICY_RULE_PROCESSOR(checkIPv4FragmentService);
friend class PolicyCompiler_junosacl::checkIPv4FragmentService;
/**
* this processor prints single policy rule, assuming all

39
src/res/objects_init.xml.in
View File

@@ -430,6 +430,45 @@
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id6861X14323" name="Fragment Small Offset IPv4 UDP" comment="" ro="False" protocol="udp" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="junosacl">fragment-offset 1-5</CustomServiceCommand>
<CustomServiceCommand platform="nxosacl"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id191207X5261" name="Fragment IPv6" comment="" ro="False" protocol="fragment" address_family="ipv6">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">cccc</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="junosacl">payload-protocol udp</CustomServiceCommand>
<CustomServiceCommand platform="nxosacl"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id573577X17557" name="Fragment IPv4" comment="" ro="False" protocol="udp" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="junosacl">fragment-offset 6-8191</CustomServiceCommand>
<CustomServiceCommand platform="nxosacl"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="stdid20" name="UserServices" comment="" ro="False"/>