onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 18:57:14 +01:00
Code Issues Releases Wiki Activity

* CompilerDriver.cpp (CompilerDriver::validateClusterGroups):

Browse Source 
fixes #1119 "add test for the integrity of failover cluster
groups".  Compilers require all failover group objects to be
configured with interfaces of member firewalls.
This commit is contained in:
Vadim Kurland 2010-01-20 20:50:04 +00:00
parent 0ded969b45
commit c2ac334627
5 changed files with 254 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2398
#define BUILD_NUM 2399

5
doc/ChangeLog
View File

@ -1,5 +1,10 @@
2010-01-20 vadim <vadim@vk.crocodile.org>
* CompilerDriver.cpp (CompilerDriver::validateClusterGroups):
fixes #1119 "add test for the integrity of failover cluster
groups". Compilers require all failover group objects to be
configured with interfaces of member firewalls.
* PolicyCompiler_cisco_acls.cpp (setInterfaceAndDirectionBySrc::processNext):
fixes #1120 "redundant commands generated for ssh
access". Compiler for PIX generated two "ssh address netmask

23
src/compiler_lib/CompilerDriver.cpp
View File

@ -673,8 +673,9 @@ void CompilerDriver::validateClusterGroups(Cluster *cluster)
string state_sync_type = (*it)->getStr("type");
if (!isSupported(&state_sync_protocols, state_sync_type))
{
QString err("State sync group type %1 is not supported");
throw FWException(err.arg(state_sync_type.c_str()).toStdString());
QString err("State sync group type '%1' is not supported");
abort(cluster, NULL, NULL, err.arg(state_sync_type.c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
}
@ -686,11 +687,23 @@ void CompilerDriver::validateClusterGroups(Cluster *cluster)
list<FWObject*> failover_groups = cluster->getByTypeDeep(FailoverClusterGroup::TYPENAME);
for (list<FWObject*>::iterator it = failover_groups.begin(); it != failover_groups.end(); ++it)
{
string failover_type = (*it)->getStr("type");
FWObject *failover_group = *it;
FWObject *parent = failover_group->getParent();
string failover_type = failover_group->getStr("type");
if (!isSupported(&failover_protocols, failover_type))
{
QString err("Failover group type %1 is not supported");
throw FWException(err.arg(failover_type.c_str()).toStdString());
QString err("Failover group type '%1' is not supported");
abort(cluster, NULL, NULL, err.arg(failover_type.c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
list<FWObject*> l2 = failover_group->getByTypeDeep(FWObjectReference::TYPENAME);
if (l2.size() == 0)
{
QString err("Failover group of cluster interface '%1' is empty");
abort(cluster, NULL, NULL,
err.arg(parent->getName().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
}
}

10
test/ipt/cluster-tests.fwb
View File

@ -1195,7 +1195,7 @@
<ClusterGroupOptions/>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1263355432" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls. See ticket #372 for explanation.&#10;" ro="False">
<Cluster id="id3433X13311" host_OS="linux24" inactive="False" lastCompiled="1264020601" lastInstalled="0" lastModified="1263355432" platform="iptables" name="heartbeat_cluster_1" comment="This is an example of linux/heartbeat cluster with two policy rule sets. Branching rule in the top policy passes control to rule set to_fw, which is different in member firewalls. See ticket #372 for explanation.&#10;" ro="False">
<NAT id="id3587X13311" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3588X13311" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -1624,7 +1624,7 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id3937X13563" host_OS="linux24" lastCompiled="1248541096" lastInstalled="0" lastModified="1251419063" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
<Cluster id="id3937X13563" host_OS="linux24" lastCompiled="1264020603" lastInstalled="0" lastModified="1251419063" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
<NAT id="id3941X13563" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id5083X25627" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -2286,7 +2286,7 @@
<ServiceGroup id="id1513X69605" name="TagServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id1514X69605" name="Firewalls" comment="" ro="False">
<Firewall id="id2735X69605" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1251419063" platform="iptables" version="" name="linux-1" comment=" " ro="False">
<Firewall id="id2735X69605" host_OS="linux24" inactive="False" lastCompiled="1264020603" lastInstalled="0" lastModified="1251419063" platform="iptables" version="" name="linux-1" comment=" " ro="False">
<NAT id="id2827X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -2454,7 +2454,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3009X69605" host_OS="linux24" inactive="False" lastCompiled="1251482764" lastInstalled="0" lastModified="1251418923" platform="iptables" version="" name="linux-2" comment="" ro="False">
<Firewall id="id3009X69605" host_OS="linux24" inactive="False" lastCompiled="1264020603" lastInstalled="0" lastModified="1251418923" platform="iptables" version="" name="linux-2" comment="" ro="False">
<NAT id="id3101X69605" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -2999,7 +2999,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3783X36775" host_OS="linux24" inactive="False" lastCompiled="1251482998" lastInstalled="0" lastModified="1251482982" platform="iptables" version="" name="linux-bonding-1" comment="VLAN and bonding interface configuration" ro="False">
<Firewall id="id3783X36775" host_OS="linux24" inactive="False" lastCompiled="1264020604" lastInstalled="0" lastModified="1251482982" platform="iptables" version="" name="linux-bonding-1" comment="VLAN and bonding interface configuration" ro="False">
<NAT id="id3817X36775" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>

226
test/pix/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1258406412" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1264019328" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<Interface id="id3213X42281" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vrrp2" comment="" ro="False">
<InterfaceOptions>
@ -698,6 +698,230 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id56535X61097" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1264019437" platform="pix" name="cluster1-1" comment="the same as cluster1, but some failover groups are unconfigured or broken in some way" ro="False">
<NAT id="id56688X61097" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id56689X61097" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id2385X39486"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id56556X61097"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id56589X61097" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id56590X61097" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id56535X61097"/>
<ObjectRef ref="id2385X39486"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id56556X61097"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id56603X61097" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id2385X39486"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id56535X61097"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id56615X61097" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id2385X39486"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id56535X61097"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56627X61097" disabled="False" group="" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2735X69605"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2385X39486"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="udp-DNS"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id56639X61097" disabled="False" log="True" position="4" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id56535X61097"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2385X39486"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="udp-DNS"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id56651X61097" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id56535X61097"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id56663X61097" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id2385X39486"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id56675X61097" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id56704X61097" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id56545X61097" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id3042X68642" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id56552X61097" type="none" name="cluster1:e1:members" comment="">
<ClusterGroupOptions>
<Option name="vrrp_secret">not so secret</Option>
<Option name="vrrp_vrid">100</Option>
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<Interface id="id56556X61097" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="" ro="False">
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id56563X61097" type="none" name="cluster1:e0.101:members" comment="">
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<Interface id="id56567X61097" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet2" comment="" ro="False">
<InterfaceOptions/>
<FailoverClusterGroup id="id56574X61097" master_iface="id2331X71781" type="pix_failover" name="Failover group" comment="">
<ObjectRef ref="id2331X71781"/>
<ObjectRef ref="id2946X39486"/>
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<Interface id="id56578X61097" dedicated_failover="False" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="20" unnum="False" unprotected="False" name="Ethernet0.102" comment="" ro="False">
<InterfaceOptions/>
<FailoverClusterGroup id="id56585X61097" master_iface="id3817X97641" type="none" name="cluster1:e0.102:members" comment="">
<ObjectRef ref="id3817X97641"/>
<ObjectRef ref="id3315X97641"/>
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<FirewallOptions/>
<StateSyncClusterGroup id="id56707X61097" master_iface="id2331X71781" type="pix_state_sync" name="State Sync Group" comment="">
<ObjectRef ref="id2331X71781"/>
<ObjectRef ref="id2946X39486"/>
<ClusterGroupOptions>
<Option name="pix_failover_key">super_secret</Option>
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
</ObjectGroup>
<ObjectGroup id="id1496X69605" name="Objects" comment="" ro="False">
<ObjectGroup id="id1497X69605" name="Addresses" comment="" ro="False">