onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 03:07:20 +01:00
Code Issues Releases Wiki Activity

fixes #1394 using existing virtual functions that expand multiple addresses to expand cluster interfaces. Now it is possible to use interface of a cluster different from the one being compiled in rules

Browse Source
This commit is contained in:
Vadim Kurland 2010-04-09 02:29:27 +00:00
parent 65a0f408a7
commit c1708d457a
15 changed files with 85 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2798
#define BUILD_NUM 2799

14
doc/ChangeLog
View File

@ -1,5 +1,19 @@
2010-04-08 vadim <vadim@vk.crocodile.org>
* CompilerDriver.cpp (CompilerDriver::copyFailoverInterface):
see #1394 there is no need to add a copy of member interface objects
to the cluster anymore.
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::_expand_interface):
fixes #1394 Using existing virtual functions that expand multiple
addresses to expand cluster interfaces. Added parameter bool
expand_cluster_interfaces_fully to _expand_addr,
_expand_addr_recursive and _expand_interface. Now expanding
cluster interface in the Compiler::_expand_interface instead of
PolicyCompiler_ipt::_expand_interface. Now it is possible to
use interface of another cluster in rules (interface of a cluster
object different from the one being compiled).
* ProjectPanel_file_ops.cpp (ProjectPanel::exportLibraryTest):
fixed #1395 "routing rules are not reported properly while
exporting library"

43
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -81,7 +81,8 @@ NATCompiler_pix::NATCompiler_pix(FWObjectDatabase *_db,
void NATCompiler_pix::_expand_addr_recursive_pix(Rule *rule,
FWObject *re,
FWObject *s,
list<FWObject*> &ol)
list<FWObject*> &ol,
bool expand_cluster_interfaces_fully)
{
Interface *rule_iface = Interface::cast(dbcopy->findInIndex(rule->getInterfaceId()));
bool odst_or_tsrc = (re->getTypeName() == RuleElementODst::TYPENAME ||
@ -139,53 +140,29 @@ void NATCompiler_pix::_expand_addr_recursive_pix(Rule *rule,
continue;
}
_expand_interface(rule, i2itf, ol);
_expand_interface(rule, i2itf, ol, expand_cluster_interfaces_fully);
continue;
}
_expand_addr_recursive_pix(rule, re, *i2, ol);
_expand_addr_recursive_pix(rule, re, *i2, ol, expand_cluster_interfaces_fully);
}
}
}
void NATCompiler_pix::_expand_addr_recursive(Rule *rule, FWObject *re,
list<FWObject*> &ol)
list<FWObject*> &ol,
bool expand_cluster_interfaces_fully)
{
_expand_addr_recursive_pix(rule, re, re, ol);
_expand_addr_recursive_pix(rule, re, re, ol, expand_cluster_interfaces_fully);
}
void NATCompiler_pix::_expand_interface(Rule *rule,
Interface *iface,
std::list<FWObject*> &ol)
std::list<FWObject*> &ol,
bool expand_cluster_interfaces_fully)
{
FWObject *parent = iface->getParentHost();
if (Cluster::cast(parent) == NULL)
{
Compiler::_expand_interface(rule, iface, ol);
return;
}
FailoverClusterGroup *failover_group = FailoverClusterGroup::cast(
iface->getFirstByType(FailoverClusterGroup::TYPENAME));
if (failover_group)
{
Interface *member_iface =
failover_group->getInterfaceForMemberFirewall(fw);
if (member_iface)
{
Compiler::_expand_interface(rule, member_iface, ol);
return;
}
QString err("Failover group of cluster interface '%1' (%2) "
"does not include interface for the member '%3'");
abort(rule,
err.
arg(iface->getName().c_str()).
arg(iface->getLabel().c_str()).
arg(fw->getName().c_str()).toStdString());
}
Compiler::_expand_interface(rule, iface, ol, expand_cluster_interfaces_fully);
}
string NATCompiler_pix::getNATACLname(Rule *rule,int nat_id)

11
src/cisco_lib/NATCompiler_pix.h
View File

@ -104,12 +104,14 @@ namespace fwcompiler {
void _expand_addr_recursive_pix(libfwbuilder::Rule *rule,
libfwbuilder::FWObject *re,
libfwbuilder::FWObject *s,
std::list<libfwbuilder::FWObject*> &ol);
std::list<libfwbuilder::FWObject*> &ol,
bool expand_cluster_interfaces_fully);
virtual void _expand_addr_recursive(libfwbuilder::Rule *rule,
libfwbuilder::FWObject *s,
std::list<libfwbuilder::FWObject*> &ol);
libfwbuilder::FWObject *s,
std::list<libfwbuilder::FWObject*> &ol,
bool expand_cluster_interfaces_fully);
/**
* internal: checks if interface is a child of a cluster and calls
@ -119,7 +121,8 @@ namespace fwcompiler {
*/
virtual void _expand_interface(libfwbuilder::Rule *rule,
libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);
std::list<libfwbuilder::FWObject*> &ol,
bool expand_cluster_interfaces_fully);
/* this is a dictionary of all nat acl names and associated boolean
* flag that indicates that corresponding 'clear' command has been

35
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -183,39 +183,10 @@ int PolicyCompiler_pix::prolog()
void PolicyCompiler_pix::_expand_interface(Rule *rule,
Interface *iface,
std::list<FWObject*> &ol)
std::list<FWObject*> &ol,
bool expand_cluster_interfaces_fully)
{
FWObject *parent = iface->getParentHost();
if (Cluster::cast(parent) == NULL)
{
Compiler::_expand_interface(rule, iface, ol);
return;
}
FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME);
if (failover_group)
{
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *member_iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(member_iface);
if (member_iface->isChildOf(fw))
{
Compiler::_expand_interface(rule, member_iface, ol);
return;
}
}
QString err("Failover group of cluster interface '%1' (%2) "
"does not include interface for the member '%3'");
abort(rule,
err.
arg(iface->getName().c_str()).
arg(iface->getLabel().c_str()).
arg(fw->getName().c_str()).toStdString());
}
Compiler::_expand_interface(rule, iface, ol, expand_cluster_interfaces_fully);
}

3
src/cisco_lib/PolicyCompiler_pix.h
View File

@ -76,7 +76,8 @@ namespace fwcompiler {
*/
virtual void _expand_interface(libfwbuilder::Rule *rule,
libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);
std::list<libfwbuilder::FWObject*> &ol,
bool expand_cluster_interfaces_fully);
/*
*************************************************************************

4
src/cisco_lib/RoutingCompiler_iosacl.cpp
View File

@ -84,7 +84,7 @@ bool RoutingCompiler_iosacl::ExpandMultipleAddressesExceptInterface::processNext
tmp_queue.push_back(rule);
RuleElementRDst *dst = rule->getRDst(); assert(dst);
compiler->_expandAddr(rule, dst);
compiler->_expand_addr(rule, dst, true);
RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel);
Address *gtw = Address::cast(
@ -92,7 +92,7 @@ bool RoutingCompiler_iosacl::ExpandMultipleAddressesExceptInterface::processNext
if (gtw == NULL)
compiler->abort(rule, "Broken GTW");
if (Interface::isA(gtw) && gtw->isChildOf(compiler->fw)) return true;
compiler->_expandAddr(rule, gtwrel);
compiler->_expand_addr(rule, gtwrel, false);
return true;
}

33
src/compiler_lib/CompilerDriver.cpp
View File

@ -1022,39 +1022,6 @@ void CompilerDriver::copyFailoverInterface(Cluster *cluster,
new_cl_if->setUnprotected(iface->isUnprotected());
fw->getOptionsObject()->setBool("cluster_member", true);
/* Add copy of firewall's real interface to the cluster to make sure
* compiler recognizes it when it encounters cluster object in rules.
* This fixes #15 (makes compiler choose correct chains)
*
* Update 01/31/2010:
*
* Example of rule where this is necessary is anti-spoofing
* rule. When cluster object is placed in rule element, it is
* assumed that it represents its own addresses, plus addresses of
* the members.
*
* A copy of the member interface does not have
* FailoverClusterGroup child object and is not recognized as
* failover interface. This is important when this interface is
* dynamic. When cluster object is used in the rule and then
* replaced with all its interfaces in one of the rule processors,
* this copy interface appears as having cluster as a parent, not
* the firewall that is being compiled. This creates problems with
* processing of dynamic interfaces. They look like they belong to
* some other object and trigger "can use dynamic interface
* because its address is unknown" error.
*
* However there is no need to add a copy of the interface of the
* member to the cluster if this interface is dynamic or
* unnumbered. Corresponding cluster interface inherits isDyn()
* property and is sufficient. This is for ticket #1184
*/
if ( ! iface->isDyn() && ! iface->isUnnumbered())
{
FWObject *new_member_if = cluster->addCopyOf(iface, true);
new_member_if->setBool("member_interface_copy", true);
}
}
/**

20
src/iptlib/NATCompiler_ipt.cpp
View File

@ -220,11 +220,12 @@ int NATCompiler_ipt::prolog()
void NATCompiler_ipt::_expand_interface(Rule *rule,
Interface *iface,
std::list<FWObject*> &ol)
std::list<FWObject*> &ol,
bool expand_cluster_interfaces_fully)
{
std::list<FWObject*> nol;
Compiler::_expand_interface(rule, iface, ol);
Compiler::_expand_interface(rule, iface, ol, expand_cluster_interfaces_fully);
physAddress *pa=iface->getPhysicalAddress();
/*
@ -2693,21 +2694,6 @@ void NATCompiler_ipt::compile()
add( new classifyNATRule( "reclassify rules" ));
add( new ConvertLoadBalancingRules( "convert load balancing rules"));
add( new VerifyRules( "verify rules" ));
#if 0
// ----------- 10/18/2008
add( new splitODstForSNAT(
"split rule if objects in ODst belong to different subnets") );
add( new ReplaceFirewallObjectsODst("replace firewall in ODst" ) );
add( new ReplaceFirewallObjectsTSrc("replace firewall in TSrc" ) );
add( new splitOnDynamicInterfaceInODst(
"split rule if ODst is dynamic interface" ) );
add( new splitOnDynamicInterfaceInTSrc(
"split rule if TSrc is dynamic interface" ) );
add( new ExpandMultipleAddresses("expand multiple addresses") );
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
// -----------
#endif
add( new singleObjectNegationOSrc(
"negation in OSrc if it holds single object"));

4
src/iptlib/NATCompiler_ipt.h
View File

@ -86,8 +86,8 @@ namespace fwcompiler {
*/
virtual void _expand_interface(libfwbuilder::Rule *rule,
libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);
std::list<libfwbuilder::FWObject*> &ol,
bool expand_cluster_interfaces_fully);
virtual std::string debugPrintRule(libfwbuilder::Rule *rule);

32
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -289,29 +289,15 @@ string PolicyCompiler_ipt::getNewChainName(PolicyRule *rule,
void PolicyCompiler_ipt::_expand_interface(Rule *rule,
Interface *iface,
std::list<FWObject*> &ol)
std::list<FWObject*> &ol,
bool expand_cluster_interfaces_fully)
{
std::list<FWObject*> ol1;
std::list<FWObject*> ol1;
std::list<FWObject*> lipaddr;
std::list<FWObject*> lother;
physAddress *pa = NULL;
std::list<FWObject*> lipaddr;
std::list<FWObject*> lother;
physAddress *pa=NULL;
Compiler::_expand_interface(rule, iface,ol1);
if (iface->isFailoverInterface())
{
// See #1234 Cluster failover interface expands to its own addresses,
// plus addresses of the corresponding member interface
FailoverClusterGroup *fg = FailoverClusterGroup::cast(
iface->getFirstByType(FailoverClusterGroup::TYPENAME));
Interface* member_intf = fg->getInterfaceForMemberFirewall(fw);
if (member_intf)
Compiler::_expand_interface(rule, member_intf, ol1);
}
Compiler::_expand_interface(rule, iface, ol1, expand_cluster_interfaces_fully);
for (std::list<FWObject*>::iterator j=ol1.begin(); j!=ol1.end(); j++)
{
@ -2794,7 +2780,7 @@ bool PolicyCompiler_ipt::expandMultipleAddressesIfNotFWinSrc::processNext()
RuleElementSrc *srcrel = rule->getSrc();
Address *src =compiler->getFirstSrc(rule);
assert(src);
if (Firewall::cast(src)==NULL) compiler->_expandAddr(rule, srcrel);
if (Firewall::cast(src)==NULL) compiler->_expand_addr(rule, srcrel, true);
tmp_queue.push_back(rule);
return true;
}
@ -2804,7 +2790,7 @@ bool PolicyCompiler_ipt::expandMultipleAddressesIfNotFWinDst::processNext()
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementDst *dstrel=rule->getDst();
Address *dst =compiler->getFirstDst(rule); assert(dst);
if (Firewall::cast(dst)==NULL) compiler->_expandAddr(rule, dstrel);
if (Firewall::cast(dst)==NULL) compiler->_expand_addr(rule, dstrel, true);
tmp_queue.push_back(rule);
return true;
}

3
src/iptlib/PolicyCompiler_ipt.h
View File

@ -120,7 +120,8 @@ protected:
*/
virtual void _expand_interface(libfwbuilder::Rule *rule,
libfwbuilder::Interface *iface,
std::list<libfwbuilder::FWObject*> &ol);
std::list<libfwbuilder::FWObject*> &ol,
bool expand_cluster_interfaces_fully);
/**

4
src/pflib/PolicyCompiler_ipfw.cpp
View File

@ -73,7 +73,7 @@ int PolicyCompiler_ipfw::prolog()
* object that own the policy we are processing, because we can use
* address 'me' in ipfw rules.
*/
void PolicyCompiler_ipfw::_expandAddr(Rule *rule,FWObject *s)
void PolicyCompiler_ipfw::_expand_addr(Rule *rule, FWObject *s, bool expand_cluster_interfaces_fully)
{
RuleElement *re=RuleElement::cast(s);
@ -84,7 +84,7 @@ void PolicyCompiler_ipfw::_expandAddr(Rule *rule,FWObject *s)
if (o->getId()==fw->getId()) return;
}
Compiler::_expandAddr(rule,s);
Compiler::_expand_addr(rule, s, expand_cluster_interfaces_fully);
}
bool PolicyCompiler_ipfw::expandAnyService::processNext()

4
src/pflib/PolicyCompiler_ipfw.h
View File

@ -57,7 +57,9 @@ namespace fwcompiler {
virtual std::string myPlatformName();
virtual void _expandAddr(libfwbuilder::Rule *rule,libfwbuilder::FWObject *s);
virtual void _expand_addr(libfwbuilder::Rule *rule,
libfwbuilder::FWObject *s,
bool expand_cluster_interfaces_fully);
/**
* prints rule in some universal format (close to that visible

30
test/ipt/cluster-tests.fwb
View File

@ -2048,7 +2048,7 @@
<ClusterGroupOptions/>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1265516307" lastInstalled="0" lastModified="1270766255" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls. See ticket #372 for explanation.&#10;" ro="False">
<Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1265516307" lastInstalled="0" lastModified="1270779748" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls. See ticket #372 for explanation.&#10;" ro="False">
<NAT id="id3587X13311" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id5131X78768" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -2820,7 +2820,7 @@
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id8228X45618" disabled="False" group="" log="False" position="19" action="Deny" direction="Inbound" comment="using interface of another cluster in the rule">
<PolicyRule id="id8228X45618" disabled="False" group="" log="False" position="19" action="Accept" direction="Inbound" comment="using interface of another cluster in the rule">
<Src neg="False">
<ObjectRef ref="id58435X29313"/>
</Src>
@ -2837,10 +2837,30 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3563X13311" disabled="False" log="True" position="20" action="Deny" direction="Both" comment="">
<PolicyRule id="id147047X84105" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3433X13311"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id58435X29313"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3563X13311" disabled="False" log="True" position="21" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2858,7 +2878,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="21" action="Deny" direction="Both" comment="">
<PolicyRule id="id3575X13311" disabled="False" group="" log="True" position="22" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>