* IOSImporter.cpp (createTCPUDPNeqObject): see #2248 implemented

import of Cisco IOS and PIX/ASA service configurations using port operation "neq". Since object model in fwbuilder does not provide direct support for "port not equal to" expression, this configuration is conveted into two tcp or udp service objects with port range extending below and above specified port and these two service objects are then placed in a group.
2026-03-20 10:17:16 +01:00 · 2011-03-19 20:54:08 -07:00 · 2011-03-19 20:54:08 -07:00 · 8fee475805
commit 8fee475805
parent 07fb9a3bfc
4 changed files with 87 additions and 3 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,13 @@
 2011-03-19  vadim  <vadim@netcitadel.com>

+	* IOSImporter.cpp (createTCPUDPNeqObject): see #2248 implemented
+	import of Cisco IOS and PIX/ASA service configurations using port
+	operation "neq". Since object model in fwbuilder does not provide
+	direct support for "port not equal to" expression, this
+	configuration is conveted into two tcp or udp service objects with
+	port range extending below and above specified port and these two
+	service objects are then placed in a group.
+
 	* objectMaker.cpp (findMatchingObject): see #2240 better
 	deduplication algorithm on import: we consider objects created
 	from in-line address/netmask and port specifications found inside
--- a/src/import/IOSImporter.cpp
+++ b/src/import/IOSImporter.cpp
@ -46,6 +46,7 @@
 #include "fwbuilder/UDPService.h"
 #include "fwbuilder/Policy.h"
 #include "fwbuilder/RuleElement.h"
+#include "fwbuilder/Library.h"

 #include <QString>
 #include <QtDebug>
@ -120,16 +121,89 @@ ObjectSignature IOSImporter::packObjectSignatureUDPService()

 FWObject* IOSImporter::createTCPService()
 {
+    if (src_port_op == "neq" || dst_port_op == "neq")
+        return createTCPUDPNeqObject("tcp");
+
    ObjectSignature sig = packObjectSignatureTCPService();
    return service_maker->createObject(sig);
 }

 FWObject* IOSImporter::createUDPService()
 {
+    if (src_port_op == "neq" || dst_port_op == "neq")
+        return createTCPUDPNeqObject("udp");
+
    ObjectSignature sig =  packObjectSignatureUDPService();
    return service_maker->createObject(sig);
 }

+/*
+ * create two tcp service objects to cover port ranges before
+ * and after src_port_spec, put them into service group and
+ * return pointer to the group.  We ignore tcp ports and
+ * "established" flag in combination with "neq"
+ *
+ */
+FWObject* IOSImporter::createTCPUDPNeqObject(const QString &proto)
+{
+    ObjectSignature sig;
+
+    if (proto == "tcp") sig.type_name = TCPService::TYPENAME;
+    if (proto == "udp") sig.type_name = UDPService::TYPENAME;
+
+    QString name;
+    FWObject *srv1 = NULL;
+    FWObject *srv2 = NULL;
+
+    if (src_port_op == "neq")
+    {
+        if ( ! dst_port_spec.empty())
+            name = QString("%1 src neq %2 / dst %3")
+                .arg(proto).arg(src_port_spec.c_str()).arg(dst_port_spec.c_str());
+        else
+            name = QString("%1 src neq %2").arg(proto).arg(src_port_spec.c_str());
+
+        sig.setDstPortRangeFromPortOp(
+            dst_port_op.c_str(), dst_port_spec.c_str(), proto);
+
+        sig.setSrcPortRangeFromPortOp("lt", src_port_spec.c_str(), proto);
+        srv1 = service_maker->createObject(sig);
+
+        sig.setSrcPortRangeFromPortOp("gt", src_port_spec.c_str(), proto);
+        srv2 = service_maker->createObject(sig);
+    }
+
+    if (dst_port_op == "neq")
+    {
+        if ( ! src_port_spec.empty())
+            name = QString("%1 src %2 / dst neq %3")
+                .arg(proto).arg(src_port_spec.c_str()).arg(dst_port_spec.c_str());
+        else
+            name = QString("%1 dst neq %2").arg(proto).arg(dst_port_spec.c_str());
+
+        sig.setSrcPortRangeFromPortOp(
+            src_port_op.c_str(), src_port_spec.c_str(), proto);
+
+        sig.setDstPortRangeFromPortOp("lt", dst_port_spec.c_str(), proto);
+        srv1 = service_maker->createObject(sig);
+
+        sig.setDstPortRangeFromPortOp("gt", dst_port_spec.c_str(), proto);
+        srv2 = service_maker->createObject(sig);
+    }
+
+    assert(srv1 != NULL && srv2 != NULL);
+
+    ObjectMaker maker(Library::cast(library));
+    FWObject *grp = 
+        commitObject(
+            maker.createObject(ServiceGroup::TYPENAME, name.toStdString()));
+
+    grp->addRef(srv1);
+    grp->addRef(srv2);
+
+    return grp;
+}
+
 void IOSImporter::ignoreCurrentInterface()
 {
    if (current_interface)
--- a/src/import/IOSImporter.h
+++ b/src/import/IOSImporter.h
@ -47,10 +47,12 @@ protected:
    
    virtual libfwbuilder::FWObject* createTCPService();
    virtual libfwbuilder::FWObject* createUDPService();
-
+    virtual libfwbuilder::FWObject* createTCPUDPNeqObject(const QString &proto);
+    
    virtual ObjectSignature packObjectSignatureTCPService();
    virtual ObjectSignature packObjectSignatureUDPService();

+    
 public:

    IOSImporter(libfwbuilder::FWObject *lib,
--- a/src/libgui/importFirewallConfigurationWizard/IC_ProgressPage.cpp
+++ b/src/libgui/importFirewallConfigurationWizard/IC_ProgressPage.cpp
@ -89,9 +89,9 @@ int IC_ProgressPage::nextId () const
    Firewall *fw = 
        dynamic_cast<ImportFirewallConfigurationWizard*>(wizard())->getFirewall();

-    // I can move on to the next page only if firewall object has been created
+    // Move on to the next page only if firewall object has been created
    // and the next page only makes sense for pix and fwsm
-    if (fw && (platform == "pix" || platform == "fwsm"))
+    if (platform == "pix" || platform == "fwsm")
        return ImportFirewallConfigurationWizard::Page_NetworkZones;

    return -1;