diff --git a/build_num b/build_num index 1acac6b84..ece093ab5 100644 --- a/build_num +++ b/build_num @@ -1 +1 @@ -#define BUILD_NUM 2798 +#define BUILD_NUM 2799 diff --git a/doc/ChangeLog b/doc/ChangeLog index 2738f8c1d..be408901f 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,19 @@ 2010-04-08 vadim + * CompilerDriver.cpp (CompilerDriver::copyFailoverInterface): + see #1394 there is no need to add a copy of member interface objects + to the cluster anymore. + + * PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::_expand_interface): + fixes #1394 Using existing virtual functions that expand multiple + addresses to expand cluster interfaces. Added parameter bool + expand_cluster_interfaces_fully to _expand_addr, + _expand_addr_recursive and _expand_interface. Now expanding + cluster interface in the Compiler::_expand_interface instead of + PolicyCompiler_ipt::_expand_interface. Now it is possible to + use interface of another cluster in rules (interface of a cluster + object different from the one being compiled). + * ProjectPanel_file_ops.cpp (ProjectPanel::exportLibraryTest): fixed #1395 "routing rules are not reported properly while exporting library" diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp index b30ab9f8e..bc922a3ac 100644 --- a/src/cisco_lib/NATCompiler_pix.cpp +++ b/src/cisco_lib/NATCompiler_pix.cpp @@ -81,7 +81,8 @@ NATCompiler_pix::NATCompiler_pix(FWObjectDatabase *_db, void NATCompiler_pix::_expand_addr_recursive_pix(Rule *rule, FWObject *re, FWObject *s, - list &ol) + list &ol, + bool expand_cluster_interfaces_fully) { Interface *rule_iface = Interface::cast(dbcopy->findInIndex(rule->getInterfaceId())); bool odst_or_tsrc = (re->getTypeName() == RuleElementODst::TYPENAME || @@ -139,53 +140,29 @@ void NATCompiler_pix::_expand_addr_recursive_pix(Rule *rule, continue; } - _expand_interface(rule, i2itf, ol); + _expand_interface(rule, i2itf, ol, expand_cluster_interfaces_fully); continue; } - _expand_addr_recursive_pix(rule, re, *i2, ol); + _expand_addr_recursive_pix(rule, re, *i2, ol, expand_cluster_interfaces_fully); } } } void NATCompiler_pix::_expand_addr_recursive(Rule *rule, FWObject *re, - list &ol) + list &ol, + bool expand_cluster_interfaces_fully) { - _expand_addr_recursive_pix(rule, re, re, ol); + _expand_addr_recursive_pix(rule, re, re, ol, expand_cluster_interfaces_fully); } void NATCompiler_pix::_expand_interface(Rule *rule, Interface *iface, - std::list &ol) + std::list &ol, + bool expand_cluster_interfaces_fully) { - FWObject *parent = iface->getParentHost(); - if (Cluster::cast(parent) == NULL) - { - Compiler::_expand_interface(rule, iface, ol); - return; - } - - FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( - iface->getFirstByType(FailoverClusterGroup::TYPENAME)); - if (failover_group) - { - Interface *member_iface = - failover_group->getInterfaceForMemberFirewall(fw); - if (member_iface) - { - Compiler::_expand_interface(rule, member_iface, ol); - return; - } - - QString err("Failover group of cluster interface '%1' (%2) " - "does not include interface for the member '%3'"); - abort(rule, - err. - arg(iface->getName().c_str()). - arg(iface->getLabel().c_str()). - arg(fw->getName().c_str()).toStdString()); - } + Compiler::_expand_interface(rule, iface, ol, expand_cluster_interfaces_fully); } string NATCompiler_pix::getNATACLname(Rule *rule,int nat_id) diff --git a/src/cisco_lib/NATCompiler_pix.h b/src/cisco_lib/NATCompiler_pix.h index 138335fbd..04093a2a2 100644 --- a/src/cisco_lib/NATCompiler_pix.h +++ b/src/cisco_lib/NATCompiler_pix.h @@ -104,12 +104,14 @@ namespace fwcompiler { void _expand_addr_recursive_pix(libfwbuilder::Rule *rule, libfwbuilder::FWObject *re, libfwbuilder::FWObject *s, - std::list &ol); + std::list &ol, + bool expand_cluster_interfaces_fully); virtual void _expand_addr_recursive(libfwbuilder::Rule *rule, - libfwbuilder::FWObject *s, - std::list &ol); + libfwbuilder::FWObject *s, + std::list &ol, + bool expand_cluster_interfaces_fully); /** * internal: checks if interface is a child of a cluster and calls @@ -119,7 +121,8 @@ namespace fwcompiler { */ virtual void _expand_interface(libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, - std::list &ol); + std::list &ol, + bool expand_cluster_interfaces_fully); /* this is a dictionary of all nat acl names and associated boolean * flag that indicates that corresponding 'clear' command has been diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp index 03603421b..b1f2e1136 100644 --- a/src/cisco_lib/PolicyCompiler_pix.cpp +++ b/src/cisco_lib/PolicyCompiler_pix.cpp @@ -183,39 +183,10 @@ int PolicyCompiler_pix::prolog() void PolicyCompiler_pix::_expand_interface(Rule *rule, Interface *iface, - std::list &ol) + std::list &ol, + bool expand_cluster_interfaces_fully) { - FWObject *parent = iface->getParentHost(); - if (Cluster::cast(parent) == NULL) - { - Compiler::_expand_interface(rule, iface, ol); - return; - } - - FWObject *failover_group = iface->getFirstByType(FailoverClusterGroup::TYPENAME); - if (failover_group) - { - for (FWObjectTypedChildIterator it = - failover_group->findByType(FWObjectReference::TYPENAME); - it != it.end(); ++it) - { - Interface *member_iface = - Interface::cast(FWObjectReference::getObject(*it)); - assert(member_iface); - if (member_iface->isChildOf(fw)) - { - Compiler::_expand_interface(rule, member_iface, ol); - return; - } - } - QString err("Failover group of cluster interface '%1' (%2) " - "does not include interface for the member '%3'"); - abort(rule, - err. - arg(iface->getName().c_str()). - arg(iface->getLabel().c_str()). - arg(fw->getName().c_str()).toStdString()); - } + Compiler::_expand_interface(rule, iface, ol, expand_cluster_interfaces_fully); } diff --git a/src/cisco_lib/PolicyCompiler_pix.h b/src/cisco_lib/PolicyCompiler_pix.h index 3cd248b93..46b52cbcc 100644 --- a/src/cisco_lib/PolicyCompiler_pix.h +++ b/src/cisco_lib/PolicyCompiler_pix.h @@ -76,7 +76,8 @@ namespace fwcompiler { */ virtual void _expand_interface(libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, - std::list &ol); + std::list &ol, + bool expand_cluster_interfaces_fully); /* ************************************************************************* diff --git a/src/cisco_lib/RoutingCompiler_iosacl.cpp b/src/cisco_lib/RoutingCompiler_iosacl.cpp index 34539d247..04286b9a1 100644 --- a/src/cisco_lib/RoutingCompiler_iosacl.cpp +++ b/src/cisco_lib/RoutingCompiler_iosacl.cpp @@ -84,7 +84,7 @@ bool RoutingCompiler_iosacl::ExpandMultipleAddressesExceptInterface::processNext tmp_queue.push_back(rule); RuleElementRDst *dst = rule->getRDst(); assert(dst); - compiler->_expandAddr(rule, dst); + compiler->_expand_addr(rule, dst, true); RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel); Address *gtw = Address::cast( @@ -92,7 +92,7 @@ bool RoutingCompiler_iosacl::ExpandMultipleAddressesExceptInterface::processNext if (gtw == NULL) compiler->abort(rule, "Broken GTW"); if (Interface::isA(gtw) && gtw->isChildOf(compiler->fw)) return true; - compiler->_expandAddr(rule, gtwrel); + compiler->_expand_addr(rule, gtwrel, false); return true; } diff --git a/src/compiler_lib/CompilerDriver.cpp b/src/compiler_lib/CompilerDriver.cpp index 9223eb722..46bab1a2f 100644 --- a/src/compiler_lib/CompilerDriver.cpp +++ b/src/compiler_lib/CompilerDriver.cpp @@ -1022,39 +1022,6 @@ void CompilerDriver::copyFailoverInterface(Cluster *cluster, new_cl_if->setUnprotected(iface->isUnprotected()); fw->getOptionsObject()->setBool("cluster_member", true); - - /* Add copy of firewall's real interface to the cluster to make sure - * compiler recognizes it when it encounters cluster object in rules. - * This fixes #15 (makes compiler choose correct chains) - * - * Update 01/31/2010: - * - * Example of rule where this is necessary is anti-spoofing - * rule. When cluster object is placed in rule element, it is - * assumed that it represents its own addresses, plus addresses of - * the members. - * - * A copy of the member interface does not have - * FailoverClusterGroup child object and is not recognized as - * failover interface. This is important when this interface is - * dynamic. When cluster object is used in the rule and then - * replaced with all its interfaces in one of the rule processors, - * this copy interface appears as having cluster as a parent, not - * the firewall that is being compiled. This creates problems with - * processing of dynamic interfaces. They look like they belong to - * some other object and trigger "can use dynamic interface - * because its address is unknown" error. - * - * However there is no need to add a copy of the interface of the - * member to the cluster if this interface is dynamic or - * unnumbered. Corresponding cluster interface inherits isDyn() - * property and is sufficient. This is for ticket #1184 - */ - if ( ! iface->isDyn() && ! iface->isUnnumbered()) - { - FWObject *new_member_if = cluster->addCopyOf(iface, true); - new_member_if->setBool("member_interface_copy", true); - } } /** diff --git a/src/iptlib/NATCompiler_ipt.cpp b/src/iptlib/NATCompiler_ipt.cpp index 36b0f0b6c..8a96d5e1f 100644 --- a/src/iptlib/NATCompiler_ipt.cpp +++ b/src/iptlib/NATCompiler_ipt.cpp @@ -220,11 +220,12 @@ int NATCompiler_ipt::prolog() void NATCompiler_ipt::_expand_interface(Rule *rule, Interface *iface, - std::list &ol) + std::list &ol, + bool expand_cluster_interfaces_fully) { std::list nol; - Compiler::_expand_interface(rule, iface, ol); + Compiler::_expand_interface(rule, iface, ol, expand_cluster_interfaces_fully); physAddress *pa=iface->getPhysicalAddress(); /* @@ -2693,21 +2694,6 @@ void NATCompiler_ipt::compile() add( new classifyNATRule( "reclassify rules" )); add( new ConvertLoadBalancingRules( "convert load balancing rules")); add( new VerifyRules( "verify rules" )); -#if 0 -// ----------- 10/18/2008 - add( new splitODstForSNAT( - "split rule if objects in ODst belong to different subnets") ); - add( new ReplaceFirewallObjectsODst("replace firewall in ODst" ) ); - add( new ReplaceFirewallObjectsTSrc("replace firewall in TSrc" ) ); - add( new splitOnDynamicInterfaceInODst( - "split rule if ODst is dynamic interface" ) ); - add( new splitOnDynamicInterfaceInTSrc( - "split rule if TSrc is dynamic interface" ) ); - - add( new ExpandMultipleAddresses("expand multiple addresses") ); - add( new dropRuleWithEmptyRE("drop rules with empty rule elements")); -// ----------- -#endif add( new singleObjectNegationOSrc( "negation in OSrc if it holds single object")); diff --git a/src/iptlib/NATCompiler_ipt.h b/src/iptlib/NATCompiler_ipt.h index 7cd09366c..d5ec84b30 100644 --- a/src/iptlib/NATCompiler_ipt.h +++ b/src/iptlib/NATCompiler_ipt.h @@ -86,8 +86,8 @@ namespace fwcompiler { */ virtual void _expand_interface(libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, - std::list &ol); - + std::list &ol, + bool expand_cluster_interfaces_fully); virtual std::string debugPrintRule(libfwbuilder::Rule *rule); diff --git a/src/iptlib/PolicyCompiler_ipt.cpp b/src/iptlib/PolicyCompiler_ipt.cpp index b10979dcc..bdae9fb8e 100644 --- a/src/iptlib/PolicyCompiler_ipt.cpp +++ b/src/iptlib/PolicyCompiler_ipt.cpp @@ -289,29 +289,15 @@ string PolicyCompiler_ipt::getNewChainName(PolicyRule *rule, void PolicyCompiler_ipt::_expand_interface(Rule *rule, Interface *iface, - std::list &ol) + std::list &ol, + bool expand_cluster_interfaces_fully) { - std::list ol1; + std::list ol1; + std::list lipaddr; + std::list lother; + physAddress *pa = NULL; - std::list lipaddr; - std::list lother; - physAddress *pa=NULL; - - Compiler::_expand_interface(rule, iface,ol1); - - if (iface->isFailoverInterface()) - { - // See #1234 Cluster failover interface expands to its own addresses, - // plus addresses of the corresponding member interface - - FailoverClusterGroup *fg = FailoverClusterGroup::cast( - iface->getFirstByType(FailoverClusterGroup::TYPENAME)); - - Interface* member_intf = fg->getInterfaceForMemberFirewall(fw); - if (member_intf) - Compiler::_expand_interface(rule, member_intf, ol1); - - } + Compiler::_expand_interface(rule, iface, ol1, expand_cluster_interfaces_fully); for (std::list::iterator j=ol1.begin(); j!=ol1.end(); j++) { @@ -2794,7 +2780,7 @@ bool PolicyCompiler_ipt::expandMultipleAddressesIfNotFWinSrc::processNext() RuleElementSrc *srcrel = rule->getSrc(); Address *src =compiler->getFirstSrc(rule); assert(src); - if (Firewall::cast(src)==NULL) compiler->_expandAddr(rule, srcrel); + if (Firewall::cast(src)==NULL) compiler->_expand_addr(rule, srcrel, true); tmp_queue.push_back(rule); return true; } @@ -2804,7 +2790,7 @@ bool PolicyCompiler_ipt::expandMultipleAddressesIfNotFWinDst::processNext() PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementDst *dstrel=rule->getDst(); Address *dst =compiler->getFirstDst(rule); assert(dst); - if (Firewall::cast(dst)==NULL) compiler->_expandAddr(rule, dstrel); + if (Firewall::cast(dst)==NULL) compiler->_expand_addr(rule, dstrel, true); tmp_queue.push_back(rule); return true; } diff --git a/src/iptlib/PolicyCompiler_ipt.h b/src/iptlib/PolicyCompiler_ipt.h index 7faedfc47..2a98fca4c 100644 --- a/src/iptlib/PolicyCompiler_ipt.h +++ b/src/iptlib/PolicyCompiler_ipt.h @@ -120,7 +120,8 @@ protected: */ virtual void _expand_interface(libfwbuilder::Rule *rule, libfwbuilder::Interface *iface, - std::list &ol); + std::list &ol, + bool expand_cluster_interfaces_fully); /** diff --git a/src/pflib/PolicyCompiler_ipfw.cpp b/src/pflib/PolicyCompiler_ipfw.cpp index a71f370cf..e20359849 100644 --- a/src/pflib/PolicyCompiler_ipfw.cpp +++ b/src/pflib/PolicyCompiler_ipfw.cpp @@ -73,7 +73,7 @@ int PolicyCompiler_ipfw::prolog() * object that own the policy we are processing, because we can use * address 'me' in ipfw rules. */ -void PolicyCompiler_ipfw::_expandAddr(Rule *rule,FWObject *s) +void PolicyCompiler_ipfw::_expand_addr(Rule *rule, FWObject *s, bool expand_cluster_interfaces_fully) { RuleElement *re=RuleElement::cast(s); @@ -84,7 +84,7 @@ void PolicyCompiler_ipfw::_expandAddr(Rule *rule,FWObject *s) if (o->getId()==fw->getId()) return; } - Compiler::_expandAddr(rule,s); + Compiler::_expand_addr(rule, s, expand_cluster_interfaces_fully); } bool PolicyCompiler_ipfw::expandAnyService::processNext() diff --git a/src/pflib/PolicyCompiler_ipfw.h b/src/pflib/PolicyCompiler_ipfw.h index 0b1ca3a3f..6ee1644d6 100644 --- a/src/pflib/PolicyCompiler_ipfw.h +++ b/src/pflib/PolicyCompiler_ipfw.h @@ -57,7 +57,9 @@ namespace fwcompiler { virtual std::string myPlatformName(); - virtual void _expandAddr(libfwbuilder::Rule *rule,libfwbuilder::FWObject *s); + virtual void _expand_addr(libfwbuilder::Rule *rule, + libfwbuilder::FWObject *s, + bool expand_cluster_interfaces_fully); /** * prints rule in some universal format (close to that visible diff --git a/test/ipt/cluster-tests.fwb b/test/ipt/cluster-tests.fwb index 1826bc047..b8180cb0b 100644 --- a/test/ipt/cluster-tests.fwb +++ b/test/ipt/cluster-tests.fwb @@ -2048,7 +2048,7 @@ - + @@ -2820,7 +2820,7 @@ - + @@ -2837,10 +2837,30 @@ - + - + + + + + + + + + + + + + + + + + + + + + @@ -2858,7 +2878,7 @@ - +