diff --git a/doc/ChangeLog b/doc/ChangeLog index 06cb8c8d3..c529e0171 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,13 @@ 2011-03-19 vadim + * IOSImporter.cpp (createTCPUDPNeqObject): see #2248 implemented + import of Cisco IOS and PIX/ASA service configurations using port + operation "neq". Since object model in fwbuilder does not provide + direct support for "port not equal to" expression, this + configuration is conveted into two tcp or udp service objects with + port range extending below and above specified port and these two + service objects are then placed in a group. + * objectMaker.cpp (findMatchingObject): see #2240 better deduplication algorithm on import: we consider objects created from in-line address/netmask and port specifications found inside diff --git a/src/import/IOSImporter.cpp b/src/import/IOSImporter.cpp index 035b4334b..42460e18d 100644 --- a/src/import/IOSImporter.cpp +++ b/src/import/IOSImporter.cpp @@ -46,6 +46,7 @@ #include "fwbuilder/UDPService.h" #include "fwbuilder/Policy.h" #include "fwbuilder/RuleElement.h" +#include "fwbuilder/Library.h" #include #include @@ -120,16 +121,89 @@ ObjectSignature IOSImporter::packObjectSignatureUDPService() FWObject* IOSImporter::createTCPService() { + if (src_port_op == "neq" || dst_port_op == "neq") + return createTCPUDPNeqObject("tcp"); + ObjectSignature sig = packObjectSignatureTCPService(); return service_maker->createObject(sig); } FWObject* IOSImporter::createUDPService() { + if (src_port_op == "neq" || dst_port_op == "neq") + return createTCPUDPNeqObject("udp"); + ObjectSignature sig = packObjectSignatureUDPService(); return service_maker->createObject(sig); } +/* + * create two tcp service objects to cover port ranges before + * and after src_port_spec, put them into service group and + * return pointer to the group. We ignore tcp ports and + * "established" flag in combination with "neq" + * + */ +FWObject* IOSImporter::createTCPUDPNeqObject(const QString &proto) +{ + ObjectSignature sig; + + if (proto == "tcp") sig.type_name = TCPService::TYPENAME; + if (proto == "udp") sig.type_name = UDPService::TYPENAME; + + QString name; + FWObject *srv1 = NULL; + FWObject *srv2 = NULL; + + if (src_port_op == "neq") + { + if ( ! dst_port_spec.empty()) + name = QString("%1 src neq %2 / dst %3") + .arg(proto).arg(src_port_spec.c_str()).arg(dst_port_spec.c_str()); + else + name = QString("%1 src neq %2").arg(proto).arg(src_port_spec.c_str()); + + sig.setDstPortRangeFromPortOp( + dst_port_op.c_str(), dst_port_spec.c_str(), proto); + + sig.setSrcPortRangeFromPortOp("lt", src_port_spec.c_str(), proto); + srv1 = service_maker->createObject(sig); + + sig.setSrcPortRangeFromPortOp("gt", src_port_spec.c_str(), proto); + srv2 = service_maker->createObject(sig); + } + + if (dst_port_op == "neq") + { + if ( ! src_port_spec.empty()) + name = QString("%1 src %2 / dst neq %3") + .arg(proto).arg(src_port_spec.c_str()).arg(dst_port_spec.c_str()); + else + name = QString("%1 dst neq %2").arg(proto).arg(dst_port_spec.c_str()); + + sig.setSrcPortRangeFromPortOp( + src_port_op.c_str(), src_port_spec.c_str(), proto); + + sig.setDstPortRangeFromPortOp("lt", dst_port_spec.c_str(), proto); + srv1 = service_maker->createObject(sig); + + sig.setDstPortRangeFromPortOp("gt", dst_port_spec.c_str(), proto); + srv2 = service_maker->createObject(sig); + } + + assert(srv1 != NULL && srv2 != NULL); + + ObjectMaker maker(Library::cast(library)); + FWObject *grp = + commitObject( + maker.createObject(ServiceGroup::TYPENAME, name.toStdString())); + + grp->addRef(srv1); + grp->addRef(srv2); + + return grp; +} + void IOSImporter::ignoreCurrentInterface() { if (current_interface) diff --git a/src/import/IOSImporter.h b/src/import/IOSImporter.h index 43f110890..2354ec72f 100644 --- a/src/import/IOSImporter.h +++ b/src/import/IOSImporter.h @@ -47,10 +47,12 @@ protected: virtual libfwbuilder::FWObject* createTCPService(); virtual libfwbuilder::FWObject* createUDPService(); - + virtual libfwbuilder::FWObject* createTCPUDPNeqObject(const QString &proto); + virtual ObjectSignature packObjectSignatureTCPService(); virtual ObjectSignature packObjectSignatureUDPService(); + public: IOSImporter(libfwbuilder::FWObject *lib, diff --git a/src/libgui/importFirewallConfigurationWizard/IC_ProgressPage.cpp b/src/libgui/importFirewallConfigurationWizard/IC_ProgressPage.cpp index d8ce93812..42cc5d412 100644 --- a/src/libgui/importFirewallConfigurationWizard/IC_ProgressPage.cpp +++ b/src/libgui/importFirewallConfigurationWizard/IC_ProgressPage.cpp @@ -89,9 +89,9 @@ int IC_ProgressPage::nextId () const Firewall *fw = dynamic_cast(wizard())->getFirewall(); - // I can move on to the next page only if firewall object has been created + // Move on to the next page only if firewall object has been created // and the next page only makes sense for pix and fwsm - if (fw && (platform == "pix" || platform == "fwsm")) + if (platform == "pix" || platform == "fwsm") return ImportFirewallConfigurationWizard::Page_NetworkZones; return -1;