diff --git a/src/pix/NATCompiler_pix.cpp b/src/pix/NATCompiler_pix.cpp index 967e68ea0..617a726a3 100644 --- a/src/pix/NATCompiler_pix.cpp +++ b/src/pix/NATCompiler_pix.cpp @@ -104,8 +104,8 @@ string NATCompiler_pix::debugPrintRule(Rule *r) { NATRule *rule=NATRule::cast(r); - Interface *iface1 = getCachedFwInterface( rule->getStr("nat_iface_orig") ); - Interface *iface2 = getCachedFwInterface( rule->getStr("nat_iface_trn") ); + Interface *iface1 = getCachedFwInterface( rule->getInt("nat_iface_orig") ); + Interface *iface2 = getCachedFwInterface( rule->getInt("nat_iface_trn") ); string iface1_name=(iface1!=NULL)?iface1->getName():""; string iface2_name=(iface2!=NULL)?iface2->getName():""; @@ -114,6 +114,7 @@ string NATCompiler_pix::debugPrintRule(Rule *r) switch (rule->getRuleType()) { case NATRule::NONAT: + os << "NONAT Type: " << rule->getInt("nonat_type"); break; case NATRule::SNAT: @@ -347,19 +348,20 @@ bool NATCompiler_pix::AssignInterface::processNext() assert(a1!=NULL && a2!=NULL); - rule->setStr("nat_iface_orig",helper.findInterfaceByNetzone(a1)); - rule->setStr("nat_iface_trn", helper.findInterfaceByNetzone(a2)); + rule->setInt("nat_iface_orig",helper.findInterfaceByNetzone(a1)); + rule->setInt("nat_iface_trn", helper.findInterfaceByNetzone(a2)); - if ( rule->getStr("nat_iface_orig")=="" ) + if ( rule->getInt("nat_iface_orig")==-1 ) compiler->abort("Object '" + a1->getName() + "' does not belong to any known network zone. Rule: " + rule->getLabel()); - if ( rule->getStr("nat_iface_trn")=="" ) + + if ( rule->getInt("nat_iface_trn")==-1 ) compiler->abort("Object '" + a2->getName() + "' does not belong to any known network zone. Rule: " + rule->getLabel()); -// if ( rule->getStr("nat_iface_orig")==rule->getStr("nat_iface_trn")) +// if ( rule->getInt("nat_iface_orig")==rule->getInt("nat_iface_trn")) // compiler->abort("Objects '"+a1->getName()+"' and '"+a2->getName()+"' belong to the same network zone. Can not build NAT configuration. Rule: "+rule->getLabel()); return true; @@ -371,16 +373,16 @@ bool NATCompiler_pix::verifyInterfaces::processNext() tmp_queue.push_back(rule); #ifdef WRONG_CHECK - if ( rule->getStr("nat_iface_orig")!=rule->getStr("nat_iface_trn") ) + if ( rule->getInt("nat_iface_orig")!=rule->getInt("nat_iface_trn") ) { if (rule->getRuleType()==NATRule::SNAT) { Interface *iface1= Interface::cast( rule->getRoot()->findInIndex( - rule->getStr("nat_iface_orig")) ); + rule->getInt("nat_iface_orig")) ); Interface *iface2= Interface::cast( rule->getRoot()->findInIndex( - rule->getStr("nat_iface_trn")) ); + rule->getInt("nat_iface_trn")) ); if ( iface1->getSecurityLevel() <= iface2->getSecurityLevel() ) { @@ -722,20 +724,21 @@ bool NATCompiler_pix::processNONATRules::processNext() */ if (osrc_level>odst_level) { - rule->setInt("nonat_type",NONAT_NAT0); + rule->setInt("nonat_type", NONAT_NAT0); nonat n0; - n0.i_iface=osrc_iface; - n0.o_iface=odst_iface; - n0.src=osrc; - n0.dst=odst; - n0.acl_name="nat0."+osrc_iface->getLabel(); - n0.last=true; + n0.i_iface = osrc_iface; + n0.o_iface = odst_iface; + n0.src = osrc; + n0.dst = odst; + n0.acl_name = "nat0."+osrc_iface->getLabel(); + n0.last = true; - pix_comp->nonat_rules[rule->getId()]= n0; + pix_comp->nonat_rules[rule->getId()] = n0; pix_comp->registerACL(n0.acl_name); - if ( pix_comp->first_nonat_rule_id[osrc_iface->getId()].empty() ) - pix_comp->first_nonat_rule_id[osrc_iface->getId()]=rule->getId(); + if (pix_comp->first_nonat_rule_id.count(osrc_iface->getId()) == 0) + pix_comp->first_nonat_rule_id[osrc_iface->getId()] = + rule->getId(); } else { @@ -768,9 +771,11 @@ bool NATCompiler_pix::createNATCmd::processNext() natcmd->o_src = osrc; natcmd->o_dst = odst; natcmd->o_srv = osrv; - natcmd->o_iface = compiler->getCachedFwInterface( rule->getStr("nat_iface_orig") ); + natcmd->o_iface = compiler->getCachedFwInterface( + rule->getInt("nat_iface_orig") ); natcmd->t_addr = tsrc; - natcmd->t_iface = compiler->getCachedFwInterface( rule->getStr("nat_iface_trn" ) ); + natcmd->t_iface = compiler->getCachedFwInterface( + rule->getInt("nat_iface_trn" ) ); natcmd->nat_acl_name = pix_comp->getNATACLname(rule,""); pix_comp->registerACL(natcmd->nat_acl_name); @@ -1058,8 +1063,10 @@ bool NATCompiler_pix::optimizeDefaultNAT::processNext() */ FWObject *o=osrc->front(); string osrc_id; - if (FWReference::cast(o)!=NULL) osrc_id=FWReference::cast(o)->getPointerId(); - else osrc_id=o->getId(); + if (FWReference::cast(o)!=NULL) + osrc_id = FWObjectDatabase::getStringId(FWReference::cast(o)->getPointerId()); + else + osrc_id = FWObjectDatabase::getStringId(o->getId()); if ( ( !tsrc->isAny() && tdst->isAny()) || ( !osrc->isAny() && odst->isAny() && tsrc->isAny() && tdst->isAny() ) diff --git a/src/pix/NATCompiler_pix.h b/src/pix/NATCompiler_pix.h index 17a794135..a59d467af 100644 --- a/src/pix/NATCompiler_pix.h +++ b/src/pix/NATCompiler_pix.h @@ -91,9 +91,9 @@ namespace fwcompiler { }; // first: rule->getId(), second: nonat object - std::map nonat_rules; + std::map nonat_rules; // first: interface->getId(), second: rule->getId() - std::map first_nonat_rule_id; + std::map first_nonat_rule_id; libfwbuilder::RuleSet *final_ruleset; diff --git a/src/pix/NATCompiler_pix_writers.cpp b/src/pix/NATCompiler_pix_writers.cpp index f050db6fd..c625e1661 100644 --- a/src/pix/NATCompiler_pix_writers.cpp +++ b/src/pix/NATCompiler_pix_writers.cpp @@ -118,8 +118,8 @@ void NATCompiler_pix::PrintRule::_printNONAT(NATRule *rule) { case NONAT_NAT0: { - nonat n0=pix_comp->nonat_rules[rule->getId()]; - Interface *iface1=n0.i_iface; + nonat n0 = pix_comp->nonat_rules[rule->getId()]; + Interface *iface1 = n0.i_iface; // Interface *iface2=n0.o_iface; if (rule->getBool("use_nat_0_0")) @@ -134,7 +134,8 @@ void NATCompiler_pix::PrintRule::_printNONAT(NATRule *rule) compiler->output << endl; if (pix_comp->getACLFlag(n0.acl_name)==0 && - compiler->fw->getOptionsObject()->getBool("pix_acl_substitution")) + compiler->fw->getOptionsObject()->getBool( + "pix_acl_substitution")) { compiler->output << clearACLcmd <<" " << n0.acl_name << endl; pix_comp->setACLFlag(n0.acl_name,1); @@ -148,10 +149,11 @@ void NATCompiler_pix::PrintRule::_printNONAT(NATRule *rule) << _printAddress(n0.dst,true) << endl; - if ( pix_comp->first_nonat_rule_id[iface1->getId()]==rule->getId() ) + if (pix_comp->first_nonat_rule_id[iface1->getId()]==rule->getId()) { if (compiler->fw->getStr("platform")=="fwsm" && - compiler->fw->getOptionsObject()->getBool("pix_use_manual_commit") ) + compiler->fw->getOptionsObject()->getBool( + "pix_use_manual_commit") ) { compiler->output << "access-list commit" << endl; compiler->output << endl; @@ -170,8 +172,10 @@ void NATCompiler_pix::PrintRule::_printNONAT(NATRule *rule) Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); Address *odst=compiler->getFirstODst(rule); assert(odst); - Interface *osrc_iface=compiler->getCachedFwInterface( helper.findInterfaceByNetzone(osrc ) ); - Interface *odst_iface=compiler->getCachedFwInterface( helper.findInterfaceByNetzone(odst ) ); + Interface *osrc_iface = compiler->getCachedFwInterface( + helper.findInterfaceByNetzone(osrc ) ); + Interface *odst_iface = compiler->getCachedFwInterface( + helper.findInterfaceByNetzone(odst ) ); string addr=odst->getAddressPtr()->toString(); string mask; @@ -327,8 +331,8 @@ bool NATCompiler_pix::PrintRule::processNext() Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); - Interface *iface_orig = compiler->getCachedFwInterface( rule->getStr("nat_iface_orig") ); - Interface *iface_trn = compiler->getCachedFwInterface( rule->getStr("nat_iface_trn" ) ); + Interface *iface_orig = compiler->getCachedFwInterface( rule->getInt("nat_iface_orig") ); + Interface *iface_trn = compiler->getCachedFwInterface( rule->getInt("nat_iface_trn" ) ); switch (rule->getRuleType()) { diff --git a/src/pix/OSConfigurator_pix_os.cpp b/src/pix/OSConfigurator_pix_os.cpp index 803259409..1b8db1700 100644 --- a/src/pix/OSConfigurator_pix_os.cpp +++ b/src/pix/OSConfigurator_pix_os.cpp @@ -196,8 +196,8 @@ string OSConfigurator_pix_os::_printLogging() if ( ! syslog_host.empty() ) { InetAddr syslog_addr(syslog_host); - string iface_id = helper.findInterfaceByNetzone(&syslog_addr); - if (iface_id.empty()) + int iface_id = helper.findInterfaceByNetzone(&syslog_addr); + if (iface_id == -1) abort("Log server " + syslog_host + " does not belong to any known network zone"); Interface *syslog_iface = getCachedFwInterface(iface_id); @@ -263,8 +263,8 @@ string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv, ostringstream str; InetAddr srv_addr(srv); - string iface_id=helper.findInterfaceByNetzone(&srv_addr); - if (iface_id.empty()) + int iface_id=helper.findInterfaceByNetzone(&srv_addr); + if (iface_id == -1) abort(string("SNMP server ") + srv + " does not belong to any known network zone"); Interface *snmp_iface = getCachedFwInterface(iface_id); @@ -353,8 +353,8 @@ string OSConfigurator_pix_os::_printNTPServer(const std::string &srv,bool pref) ostringstream str; InetAddr srv_addr(srv); - string iface_id=helper.findInterfaceByNetzone(&srv_addr); - if (iface_id.empty()) + int iface_id=helper.findInterfaceByNetzone(&srv_addr); + if (iface_id == -1) abort("NTP server "+srv+" does not belong to any known network zone"); Interface *ntp_iface = getCachedFwInterface(iface_id); str << "ntp server " << srv << " source " << ntp_iface->getLabel(); diff --git a/src/pix/PolicyCompiler_pix_v6_acls.cpp b/src/pix/PolicyCompiler_pix_v6_acls.cpp index 3cf87490e..bde3f4e91 100644 --- a/src/pix/PolicyCompiler_pix_v6_acls.cpp +++ b/src/pix/PolicyCompiler_pix_v6_acls.cpp @@ -73,15 +73,15 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext() bool icmp_cmd = rule->getBool("icmp_cmd"); bool ssh_telnet_cmd = rule->getBool("ssh_telnet_cmd"); - string interface_id = rule->getInterfaceId(); + int interface_id = rule->getInterfaceId(); if (rule->getDirection()==PolicyRule::Undefined) rule->setDirection( PolicyRule::Both ); - if (interface_id.empty() && rule->getDirection()==PolicyRule::Both) + if (interface_id==-1 && rule->getDirection()==PolicyRule::Both) return true; - if (interface_id.empty() && !icmp_cmd && !ssh_telnet_cmd && ( + if (interface_id==-1 && !icmp_cmd && !ssh_telnet_cmd && ( rule->getDirection()==PolicyRule::Inbound || rule->getDirection()==PolicyRule::Outbound) ) compiler->abort(string("Direction set without interface in rule ")+rule->getLabel()); @@ -188,7 +188,8 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext() { if (!src->isAny()) { - string iface1_id=helper.findInterfaceByNetzone( compiler->getFirstSrc(rule) ); + int iface1_id = helper.findInterfaceByNetzone( + compiler->getFirstSrc(rule) ); /* special case: interface detected via comparison of src and the * network zone is the same as the one this rule is assigned to, but @@ -204,8 +205,9 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext() tmp_queue.push_back(rule); } else { - string iface2_id; - iface2_id=helper.findInterfaceByNetzone( compiler->getFirstDst(rule) ); + int iface2_id; + iface2_id = helper.findInterfaceByNetzone( + compiler->getFirstDst(rule) ); list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) @@ -279,14 +281,14 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext() RuleElementSrc *src=rule->getSrc(); assert(src); RuleElementDst *dst=rule->getDst(); assert(dst); - if (rule->getInterfaceId()=="") + if (rule->getInterfaceId()==-1) { try { if (! src->isAny() ) { Address *a=compiler->getFirstSrc(rule); - string iface1_id=helper.findInterfaceByNetzone(a); + int iface1_id = helper.findInterfaceByNetzone(a); rule->setInterfaceId(iface1_id); tmp_queue.push_back(rule); } else { @@ -294,7 +296,7 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext() Address *a=compiler->getFirstDst(rule); if ( ! dst->isAny() && compiler->complexMatch(a,compiler->fw)) { - string iface2_id=helper.findInterfaceByNetzone( a ); + int iface2_id = helper.findInterfaceByNetzone( a ); rule->setInterfaceId(iface2_id); rule->setStr("direction","Inbound"); tmp_queue.push_back(rule); diff --git a/src/pix/PolicyCompiler_pix_writers.cpp b/src/pix/PolicyCompiler_pix_writers.cpp index 71beee50f..ec8bcdf4b 100644 --- a/src/pix/PolicyCompiler_pix_writers.cpp +++ b/src/pix/PolicyCompiler_pix_writers.cpp @@ -388,13 +388,17 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o) } } return str.str(); - } else - { - compiler->abort(string("Object ") + o->getName() + - string(" (id=") + o->getId() + string(") ") + - string(" has no ip address and can not be used ") + - string("in the rule.")); } + ostringstream errstr; + errstr << "Object " + << o->getName() + << " (id=" + << o->getId() + << ") " + << " has no ip address and can not be used " + << "in the rule."; + compiler->abort(errstr.str()); + return ""; // to make compiler happy } bool PolicyCompiler_pix::PrintRule::suppressDuplicateICMPCommands(const string &cmd) diff --git a/src/pix/pix.cpp b/src/pix/pix.cpp index effbded9c..be545a2c8 100644 --- a/src/pix/pix.cpp +++ b/src/pix/pix.cpp @@ -107,14 +107,21 @@ class UpgradePredicate: public XMLTools::UpgradePredicate class sort_by_net_zone { + string any_address_id; public: -// explicit sort_by_net_zone(); - bool operator()(const FWObject *a, const FWObject *b) { - if (Interface::constcast(a) && Interface::constcast(b)) { + explicit sort_by_net_zone() + { + any_address_id = FWObjectDatabase::getStringId( + FWObjectDatabase::ANY_ADDRESS_ID); + } + bool operator()(const FWObject *a, const FWObject *b) + { + if (Interface::constcast(a) && Interface::constcast(b)) + { string netzone_a=a->getStr("network_zone"); string netzone_b=b->getStr("network_zone"); - if ( netzone_a==FWObjectDatabase::getAnyNetworkId()) return false; - if ( netzone_b==FWObjectDatabase::getAnyNetworkId()) return true; + if ( netzone_a==any_address_id) return false; + if ( netzone_b==any_address_id) return true; } return false; } @@ -390,7 +397,8 @@ int main(int argc, char * const * argv) "Network zone definition is missing for interface " +iface->getName()+" ("+iface->getLabel()+")"); } - FWObject *netzone=objdb->findInIndex(netzone_id); + FWObject *netzone=objdb->findInIndex( + FWObjectDatabase::getIntId(netzone_id)); if (netzone==NULL) { throw FWException( @@ -433,7 +441,8 @@ int main(int argc, char * const * argv) nz->add(*j); } iface->setStr("orig_netzone_id", netzone_id ); - iface->setStr("network_zone", nz->getId() ); + iface->setStr("network_zone", + FWObjectDatabase::getStringId(nz->getId()) ); } /*