onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-06-25 02:19:37 +02:00
Code Issues Releases Wiki Activity

int IDs in compiler for pix

Browse Source
This commit is contained in:
Vadim Kurland
2008-06-10 05:01:44 +00:00
parent ad446d7308
commit c0fd400bdd
7 changed files with 89 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
src/pix/NATCompiler_pix.cpp
View File

@@ -104,8 +104,8 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
{
NATRule *rule=NATRule::cast(r);
Interface *iface1 = getCachedFwInterface( rule->getStr("nat_iface_orig") );
Interface *iface2 = getCachedFwInterface( rule->getStr("nat_iface_trn") );
Interface *iface1 = getCachedFwInterface( rule->getInt("nat_iface_orig") );
Interface *iface2 = getCachedFwInterface( rule->getInt("nat_iface_trn") );
string iface1_name=(iface1!=NULL)?iface1->getName():"";
string iface2_name=(iface2!=NULL)?iface2->getName():"";
@@ -114,6 +114,7 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
switch (rule->getRuleType())
{
case NATRule::NONAT:
os << "NONAT Type: " << rule->getInt("nonat_type");
break;
case NATRule::SNAT:
@@ -347,19 +348,20 @@ bool NATCompiler_pix::AssignInterface::processNext()
assert(a1!=NULL && a2!=NULL);
rule->setStr("nat_iface_orig",helper.findInterfaceByNetzone(a1));
rule->setStr("nat_iface_trn", helper.findInterfaceByNetzone(a2));
rule->setInt("nat_iface_orig",helper.findInterfaceByNetzone(a1));
rule->setInt("nat_iface_trn", helper.findInterfaceByNetzone(a2));
if ( rule->getStr("nat_iface_orig")=="" )
if ( rule->getInt("nat_iface_orig")==-1 )
compiler->abort("Object '" + a1->getName() +
"' does not belong to any known network zone. Rule: " +
rule->getLabel());
if ( rule->getStr("nat_iface_trn")=="" )
if ( rule->getInt("nat_iface_trn")==-1 )
compiler->abort("Object '" + a2->getName() +
"' does not belong to any known network zone. Rule: " +
rule->getLabel());
// if ( rule->getStr("nat_iface_orig")==rule->getStr("nat_iface_trn"))
// if ( rule->getInt("nat_iface_orig")==rule->getInt("nat_iface_trn"))
// compiler->abort("Objects '"+a1->getName()+"' and '"+a2->getName()+"' belong to the same network zone. Can not build NAT configuration. Rule: "+rule->getLabel());
return true;
@@ -371,16 +373,16 @@ bool NATCompiler_pix::verifyInterfaces::processNext()
tmp_queue.push_back(rule);
#ifdef WRONG_CHECK
if ( rule->getStr("nat_iface_orig")!=rule->getStr("nat_iface_trn") )
if ( rule->getInt("nat_iface_orig")!=rule->getInt("nat_iface_trn") )
{
if (rule->getRuleType()==NATRule::SNAT)
{
Interface *iface1=
Interface::cast( rule->getRoot()->findInIndex(
rule->getStr("nat_iface_orig")) );
rule->getInt("nat_iface_orig")) );
Interface *iface2=
Interface::cast( rule->getRoot()->findInIndex(
rule->getStr("nat_iface_trn")) );
rule->getInt("nat_iface_trn")) );
if ( iface1->getSecurityLevel() <= iface2->getSecurityLevel() )
{
@@ -722,20 +724,21 @@ bool NATCompiler_pix::processNONATRules::processNext()
*/
if (osrc_level>odst_level)
{
rule->setInt("nonat_type",NONAT_NAT0);
rule->setInt("nonat_type", NONAT_NAT0);
nonat n0;
n0.i_iface=osrc_iface;
n0.o_iface=odst_iface;
n0.src=osrc;
n0.dst=odst;
n0.acl_name="nat0."+osrc_iface->getLabel();
n0.last=true;
n0.i_iface = osrc_iface;
n0.o_iface = odst_iface;
n0.src = osrc;
n0.dst = odst;
n0.acl_name = "nat0."+osrc_iface->getLabel();
n0.last = true;
pix_comp->nonat_rules[rule->getId()]= n0;
pix_comp->nonat_rules[rule->getId()] = n0;
pix_comp->registerACL(n0.acl_name);
if ( pix_comp->first_nonat_rule_id[osrc_iface->getId()].empty() )
pix_comp->first_nonat_rule_id[osrc_iface->getId()]=rule->getId();
if (pix_comp->first_nonat_rule_id.count(osrc_iface->getId()) == 0)
pix_comp->first_nonat_rule_id[osrc_iface->getId()] =
rule->getId();
} else
{
@@ -768,9 +771,11 @@ bool NATCompiler_pix::createNATCmd::processNext()
natcmd->o_src = osrc;
natcmd->o_dst = odst;
natcmd->o_srv = osrv;
natcmd->o_iface = compiler->getCachedFwInterface( rule->getStr("nat_iface_orig") );
natcmd->o_iface = compiler->getCachedFwInterface(
rule->getInt("nat_iface_orig") );
natcmd->t_addr = tsrc;
natcmd->t_iface = compiler->getCachedFwInterface( rule->getStr("nat_iface_trn" ) );
natcmd->t_iface = compiler->getCachedFwInterface(
rule->getInt("nat_iface_trn" ) );
natcmd->nat_acl_name = pix_comp->getNATACLname(rule,"");
pix_comp->registerACL(natcmd->nat_acl_name);
@@ -1058,8 +1063,10 @@ bool NATCompiler_pix::optimizeDefaultNAT::processNext()
*/
FWObject *o=osrc->front();
string osrc_id;
if (FWReference::cast(o)!=NULL) osrc_id=FWReference::cast(o)->getPointerId();
else osrc_id=o->getId();
if (FWReference::cast(o)!=NULL)
osrc_id = FWObjectDatabase::getStringId(FWReference::cast(o)->getPointerId());
else
osrc_id = FWObjectDatabase::getStringId(o->getId());
if ( ( !tsrc->isAny() && tdst->isAny()) ||
( !osrc->isAny() && odst->isAny() && tsrc->isAny() && tdst->isAny() )

4
src/pix/NATCompiler_pix.h
View File

@@ -91,9 +91,9 @@ namespace fwcompiler {
};
// first: rule->getId(), second: nonat object
std::map<std::string, nonat> nonat_rules;
std::map<int, nonat> nonat_rules;
// first: interface->getId(), second: rule->getId()
std::map<std::string,std::string> first_nonat_rule_id;
std::map<int,int> first_nonat_rule_id;
libfwbuilder::RuleSet *final_ruleset;

22
src/pix/NATCompiler_pix_writers.cpp
View File

@@ -118,8 +118,8 @@ void NATCompiler_pix::PrintRule::_printNONAT(NATRule *rule)
{
case NONAT_NAT0:
{
nonat n0=pix_comp->nonat_rules[rule->getId()];
Interface *iface1=n0.i_iface;
nonat n0 = pix_comp->nonat_rules[rule->getId()];
Interface *iface1 = n0.i_iface;
// Interface *iface2=n0.o_iface;
if (rule->getBool("use_nat_0_0"))
@@ -134,7 +134,8 @@ void NATCompiler_pix::PrintRule::_printNONAT(NATRule *rule)
compiler->output << endl;
if (pix_comp->getACLFlag(n0.acl_name)==0 &&
compiler->fw->getOptionsObject()->getBool("pix_acl_substitution"))
compiler->fw->getOptionsObject()->getBool(
"pix_acl_substitution"))
{
compiler->output << clearACLcmd <<" " << n0.acl_name << endl;
pix_comp->setACLFlag(n0.acl_name,1);
@@ -148,10 +149,11 @@ void NATCompiler_pix::PrintRule::_printNONAT(NATRule *rule)
<< _printAddress(n0.dst,true)
<< endl;
if ( pix_comp->first_nonat_rule_id[iface1->getId()]==rule->getId() )
if (pix_comp->first_nonat_rule_id[iface1->getId()]==rule->getId())
{
if (compiler->fw->getStr("platform")=="fwsm" &&
compiler->fw->getOptionsObject()->getBool("pix_use_manual_commit") )
compiler->fw->getOptionsObject()->getBool(
"pix_use_manual_commit") )
{
compiler->output << "access-list commit" << endl;
compiler->output << endl;
@@ -170,8 +172,10 @@ void NATCompiler_pix::PrintRule::_printNONAT(NATRule *rule)
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
Interface *osrc_iface=compiler->getCachedFwInterface( helper.findInterfaceByNetzone(osrc ) );
Interface *odst_iface=compiler->getCachedFwInterface( helper.findInterfaceByNetzone(odst ) );
Interface *osrc_iface = compiler->getCachedFwInterface(
helper.findInterfaceByNetzone(osrc ) );
Interface *odst_iface = compiler->getCachedFwInterface(
helper.findInterfaceByNetzone(odst ) );
string addr=odst->getAddressPtr()->toString();
string mask;
@@ -327,8 +331,8 @@ bool NATCompiler_pix::PrintRule::processNext()
Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv);
Interface *iface_orig = compiler->getCachedFwInterface( rule->getStr("nat_iface_orig") );
Interface *iface_trn = compiler->getCachedFwInterface( rule->getStr("nat_iface_trn" ) );
Interface *iface_orig = compiler->getCachedFwInterface( rule->getInt("nat_iface_orig") );
Interface *iface_trn = compiler->getCachedFwInterface( rule->getInt("nat_iface_trn" ) );
switch (rule->getRuleType())
{

12
src/pix/OSConfigurator_pix_os.cpp
View File

@@ -196,8 +196,8 @@ string OSConfigurator_pix_os::_printLogging()
if ( ! syslog_host.empty() )
{
InetAddr syslog_addr(syslog_host);
string iface_id = helper.findInterfaceByNetzone(&syslog_addr);
if (iface_id.empty())
int iface_id = helper.findInterfaceByNetzone(&syslog_addr);
if (iface_id == -1)
abort("Log server " + syslog_host +
" does not belong to any known network zone");
Interface *syslog_iface = getCachedFwInterface(iface_id);
@@ -263,8 +263,8 @@ string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,
ostringstream str;
InetAddr srv_addr(srv);
string iface_id=helper.findInterfaceByNetzone(&srv_addr);
if (iface_id.empty())
int iface_id=helper.findInterfaceByNetzone(&srv_addr);
if (iface_id == -1)
abort(string("SNMP server ") + srv +
" does not belong to any known network zone");
Interface *snmp_iface = getCachedFwInterface(iface_id);
@@ -353,8 +353,8 @@ string OSConfigurator_pix_os::_printNTPServer(const std::string &srv,bool pref)
ostringstream str;
InetAddr srv_addr(srv);
string iface_id=helper.findInterfaceByNetzone(&srv_addr);
if (iface_id.empty())
int iface_id=helper.findInterfaceByNetzone(&srv_addr);
if (iface_id == -1)
abort("NTP server "+srv+" does not belong to any known network zone");
Interface *ntp_iface = getCachedFwInterface(iface_id);
str << "ntp server " << srv << " source " << ntp_iface->getLabel();

20
src/pix/PolicyCompiler_pix_v6_acls.cpp
View File

@@ -73,15 +73,15 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
bool icmp_cmd = rule->getBool("icmp_cmd");
bool ssh_telnet_cmd = rule->getBool("ssh_telnet_cmd");
string interface_id = rule->getInterfaceId();
int interface_id = rule->getInterfaceId();
if (rule->getDirection()==PolicyRule::Undefined)
rule->setDirection( PolicyRule::Both );
if (interface_id.empty() && rule->getDirection()==PolicyRule::Both)
if (interface_id==-1 && rule->getDirection()==PolicyRule::Both)
return true;
if (interface_id.empty() && !icmp_cmd && !ssh_telnet_cmd && (
if (interface_id==-1 && !icmp_cmd && !ssh_telnet_cmd && (
rule->getDirection()==PolicyRule::Inbound ||
rule->getDirection()==PolicyRule::Outbound)
) compiler->abort(string("Direction set without interface in rule ")+rule->getLabel());
@@ -188,7 +188,8 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
{
if (!src->isAny())
{
string iface1_id=helper.findInterfaceByNetzone( compiler->getFirstSrc(rule) );
int iface1_id = helper.findInterfaceByNetzone(
compiler->getFirstSrc(rule) );
/* special case: interface detected via comparison of src and the
* network zone is the same as the one this rule is assigned to, but
@@ -204,8 +205,9 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
tmp_queue.push_back(rule);
} else
{
string iface2_id;
iface2_id=helper.findInterfaceByNetzone( compiler->getFirstDst(rule) );
int iface2_id;
iface2_id = helper.findInterfaceByNetzone(
compiler->getFirstDst(rule) );
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
@@ -279,14 +281,14 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
RuleElementSrc *src=rule->getSrc(); assert(src);
RuleElementDst *dst=rule->getDst(); assert(dst);
if (rule->getInterfaceId()=="")
if (rule->getInterfaceId()==-1)
{
try
{
if (! src->isAny() )
{
Address *a=compiler->getFirstSrc(rule);
string iface1_id=helper.findInterfaceByNetzone(a);
int iface1_id = helper.findInterfaceByNetzone(a);
rule->setInterfaceId(iface1_id);
tmp_queue.push_back(rule);
} else {
@@ -294,7 +296,7 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
Address *a=compiler->getFirstDst(rule);
if ( ! dst->isAny() && compiler->complexMatch(a,compiler->fw))
{
string iface2_id=helper.findInterfaceByNetzone( a );
int iface2_id = helper.findInterfaceByNetzone( a );
rule->setInterfaceId(iface2_id);
rule->setStr("direction","Inbound");
tmp_queue.push_back(rule);

16
src/pix/PolicyCompiler_pix_writers.cpp
View File

@@ -388,13 +388,17 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o)
}
}
return str.str();
} else
{
compiler->abort(string("Object ") + o->getName() +
string(" (id=") + o->getId() + string(") ") +
string(" has no ip address and can not be used ") +
string("in the rule."));
}
ostringstream errstr;
errstr << "Object "
<< o->getName()
<< " (id="
<< o->getId()
<< ") "
<< " has no ip address and can not be used "
<< "in the rule.";
compiler->abort(errstr.str());
return ""; // to make compiler happy
}
bool PolicyCompiler_pix::PrintRule::suppressDuplicateICMPCommands(const string &cmd)

23
src/pix/pix.cpp
View File

@@ -107,14 +107,21 @@ class UpgradePredicate: public XMLTools::UpgradePredicate
class sort_by_net_zone {
string any_address_id;
public:
// explicit sort_by_net_zone();
bool operator()(const FWObject *a, const FWObject *b) {
if (Interface::constcast(a) && Interface::constcast(b)) {
explicit sort_by_net_zone()
{
any_address_id = FWObjectDatabase::getStringId(
FWObjectDatabase::ANY_ADDRESS_ID);
}
bool operator()(const FWObject *a, const FWObject *b)
{
if (Interface::constcast(a) && Interface::constcast(b))
{
string netzone_a=a->getStr("network_zone");
string netzone_b=b->getStr("network_zone");
if ( netzone_a==FWObjectDatabase::getAnyNetworkId()) return false;
if ( netzone_b==FWObjectDatabase::getAnyNetworkId()) return true;
if ( netzone_a==any_address_id) return false;
if ( netzone_b==any_address_id) return true;
}
return false;
}
@@ -390,7 +397,8 @@ int main(int argc, char * const * argv)
"Network zone definition is missing for interface "
+iface->getName()+" ("+iface->getLabel()+")");
}
FWObject *netzone=objdb->findInIndex(netzone_id);
FWObject *netzone=objdb->findInIndex(
FWObjectDatabase::getIntId(netzone_id));
if (netzone==NULL)
{
throw FWException(
@@ -433,7 +441,8 @@ int main(int argc, char * const * argv)
nz->add(*j);
}
iface->setStr("orig_netzone_id", netzone_id );
iface->setStr("network_zone", nz->getId() );
iface->setStr("network_zone",
FWObjectDatabase::getStringId(nz->getId()) );
}
/*