onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 01:37:17 +01:00
Code Issues Releases Wiki Activity

compilers for iosacl and pix use getAddressPtr

Browse Source
This commit is contained in:
Vadim Kurland 2008-05-20 00:02:10 +00:00
parent 41d6790592
commit c5f9a8f99b
7 changed files with 172 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/cisco_lib/Helper.cpp
View File

@ -100,27 +100,31 @@ void Helper::expand_group_recursive(FWObject *o,list<FWObject*> &ol)
string Helper::findInterfaceByAddress(libfwbuilder::Address *obj)
{
return findInterfaceByAddress( *(obj->getAddressPtr()) );
return findInterfaceByAddress( obj->getAddressPtr() );
}
string Helper::findInterfaceByAddress(const libfwbuilder::InetAddr &addr)
string Helper::findInterfaceByAddress(const libfwbuilder::InetAddr *addr)
{
if (addr==NULL) return "";
Firewall *fw=compiler->fw;
list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i) {
Interface *iface=Interface::cast(*i);
if ( iface->belongs( addr ) ) return iface->getId();
if ( iface->belongs( *addr ) ) return iface->getId();
}
return "";
}
string Helper::findInterfaceByNetzone(Address *obj)
{
return findInterfaceByNetzone(*(obj->getAddressPtr()));
return findInterfaceByNetzone(obj->getAddressPtr());
}
string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string)
string Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
{
if (addr==NULL) return "";
Firewall *fw=compiler->fw;
map<string,FWObject*> zones;
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
@ -134,7 +138,7 @@ string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string)
j!=netzone->end(); ++j)
{
assert(Address::cast(*j)!=NULL);
if (Address::cast(*j)->belongs(addr))
if (Address::cast(*j)->belongs(*addr))
zones[(*i)->getId()]=netzone;
}
}
@ -163,13 +167,11 @@ string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string)
* Subnets defined by addresses of interfaces are automatically part
* of the corresponding network zones
*/
if (res_id.empty())
res_id=findInterfaceByAddress( addr );
if (res_id.empty()) res_id=findInterfaceByAddress( addr );
if (res_id.empty())
throw(
string("Can not find interface with network zone that includes "
"address ") + addr.toString());
throw(string("Can not find interface with network zone that includes "
"address ") + addr->toString());
return res_id;
}

4
src/cisco_lib/Helper.h
View File

@ -49,14 +49,14 @@ namespace fwcompiler {
* finds interface of the firewall to whose subnet object
* 'obj' belongs to. Returns interface ID
*/
std::string findInterfaceByAddress(const libfwbuilder::InetAddr &a);
std::string findInterfaceByAddress(const libfwbuilder::InetAddr *a);
std::string findInterfaceByAddress(libfwbuilder::Address *obj);
/**
* finds interface of the firewall associated with the netzone
* that object 'obj' belongs to. Returns interface ID
*/
std::string findInterfaceByNetzone(const libfwbuilder::InetAddr &a)
std::string findInterfaceByNetzone(const libfwbuilder::InetAddr *a)
throw(std::string);
std::string findInterfaceByNetzone(libfwbuilder::Address *obj);
std::list<std::string> findInterfaceByNetzoneOrAll(

61
src/iosacl/PolicyCompiler_iosacl_writers.cpp
View File

@ -369,11 +369,6 @@ string PolicyCompiler_iosacl::PrintRule::_printDstService(Service *srv)
string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o)
{
ostringstream str;
const InetAddr *srcaddr = o->getAddressPtr();
InetAddr srcmask = *(o->getNetmaskPtr());
if (Interface::cast(o)!=NULL)
{
Interface *interface_=Interface::cast(o);
@ -381,36 +376,50 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o)
{
return string("interface ") + interface_->getLabel() + " ";
}
srcmask = InetAddr(InetAddr::getAllOnes());
}
if (IPv4::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
ostringstream str;
if (srcaddr->isAny() && srcmask.isAny())
const InetAddr *srcaddr = o->getAddressPtr();
if (srcaddr)
{
str << "any ";
} else {
if (srcmask.isHostMask())
InetAddr srcmask = *(o->getNetmaskPtr());
if (Interface::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
if (IPv4::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
if (srcaddr->isAny() && srcmask.isAny())
{
str << "host " << srcaddr->toString() << " ";
} else
{
str << srcaddr->toString() << " ";
str << "any ";
} else {
if (srcmask.isHostMask())
{
str << "host " << srcaddr->toString() << " ";
} else
{
str << srcaddr->toString() << " ";
// cisco uses "wildcards" instead of netmasks
// cisco uses "wildcards" instead of netmasks
//long nm = srcmask.to32BitInt();
//struct in_addr na;
//na.s_addr = ~nm;
InetAddr nnm( ~srcmask );
//long nm = srcmask.to32BitInt();
//struct in_addr na;
//na.s_addr = ~nm;
InetAddr nnm( ~srcmask );
str << nnm.toString() << " ";
}
str << nnm.toString() << " ";
}
}
return str.str();
} else
{
compiler->abort(string("Object ") + o->getName() +
string(" (id=") + o->getId() + string(") ") +
string(" has no ip address and can not be used ") +
string("in the rule."));
}
return str.str();
}
/*

55
src/pix/NATCompiler_pix.cpp
View File

@ -350,9 +350,13 @@ bool NATCompiler_pix::AssignInterface::processNext()
rule->setStr("nat_iface_trn", helper.findInterfaceByNetzone(a2));
if ( rule->getStr("nat_iface_orig")=="" )
compiler->abort("Object '"+a1->getName()+"' does not belong to any known network zone. Rule: "+rule->getLabel());
compiler->abort("Object '" + a1->getName() +
"' does not belong to any known network zone. Rule: " +
rule->getLabel());
if ( rule->getStr("nat_iface_trn")=="" )
compiler->abort("Object '"+a2->getName()+"' does not belong to any known network zone. Rule: "+rule->getLabel());
compiler->abort("Object '" + a2->getName() +
"' does not belong to any known network zone. Rule: " +
rule->getLabel());
// if ( rule->getStr("nat_iface_orig")==rule->getStr("nat_iface_trn"))
// compiler->abort("Objects '"+a1->getName()+"' and '"+a2->getName()+"' belong to the same network zone. Can not build NAT configuration. Rule: "+rule->getLabel());
@ -368,13 +372,17 @@ bool NATCompiler_pix::verifyInterfaces::processNext()
#ifdef WRONG_CHECK
if ( rule->getStr("nat_iface_orig")!=rule->getStr("nat_iface_trn") )
{
if (rule->getRuleType()==NATRule::SNAT) {
if (rule->getRuleType()==NATRule::SNAT)
{
Interface *iface1=
Interface::cast( rule->getRoot()->findInIndex(rule->getStr("nat_iface_orig")) );
Interface::cast( rule->getRoot()->findInIndex(
rule->getStr("nat_iface_orig")) );
Interface *iface2=
Interface::cast( rule->getRoot()->findInIndex(rule->getStr("nat_iface_trn")) );
Interface::cast( rule->getRoot()->findInIndex(
rule->getStr("nat_iface_trn")) );
if ( iface1->getSecurityLevel() <= iface2->getSecurityLevel() ) {
if ( iface1->getSecurityLevel() <= iface2->getSecurityLevel() )
{
char lvl1[32];
char lvl2[32];
sprintf(lvl1,"%d",iface1->getSecurityLevel());
@ -405,19 +413,22 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
Address *tdst=compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv);
bool version_lt_63=libfwbuilder::XMLTools::version_compare(compiler->fw->getStr("version"),"6.3")<0;
bool version_lt_63 = libfwbuilder::XMLTools::version_compare(
compiler->fw->getStr("version"),"6.3")<0;
if (rule->getRuleType()==NATRule::SNAT)
{
if ((! osrv->isAny() || ! tsrv->isAny()) && version_lt_63)
compiler->abort("only PIX v6.3 recognizes services in global NAT. Rule: "+rule->getLabel() );
compiler->abort("only PIX v6.3 recognizes services in global NAT. "
"Rule: "+rule->getLabel() );
}
if (rule->getRuleType()==NATRule::DNAT)
{
if (AddressRange::cast(odst) || AddressRange::cast(tdst))
compiler->abort(
"Address ranges are not supported in original destination or translated destination in NAT rule "+rule->getLabel() );
"Address ranges are not supported in original destination or "
"translated destination in NAT rule "+rule->getLabel() );
if (Network::isA(odst) && Network::isA(tdst))
{
@ -428,15 +439,18 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
if ( !(n1==n2) )
compiler->abort(
"Original and translated destination must be of the same size in the NAT rule "+rule->getLabel());
"Original and translated destination must be of the same "
"size in the NAT rule "+rule->getLabel());
}
if (osrv->getTypeName()!=tsrv->getTypeName())
compiler->abort("Original and translated services must be of the same type. Rule: "+rule->getLabel());
compiler->abort("Original and translated services must be of "
"the same type. Rule: "+rule->getLabel());
if (ICMPService::isA(osrv))
compiler->abort("ICMP services are not supported in static NAT. Rule: "+rule->getLabel());
compiler->abort("ICMP services are not supported in static NAT. "
"Rule: "+rule->getLabel());
if (TCPService::isA(osrv) || UDPService::isA(osrv))
{
@ -444,7 +458,8 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
int dre=osrv->getInt("dst_range_end");
if (drs!=dre)
compiler->abort("TCP or UDP service with a port range is not supported in NAT. Rule "+rule->getLabel());
compiler->abort("TCP or UDP service with a port range is not "
"supported in NAT. Rule "+rule->getLabel());
}
if (TCPService::isA(tsrv) || UDPService::isA(tsrv))
{
@ -452,7 +467,8 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
int dre=tsrv->getInt("dst_range_end");
if (drs!=dre)
compiler->abort("TCP or UDP service with a port range is not supported in NAT. Rule "+rule->getLabel());
compiler->abort("TCP or UDP service with a port range is not "
"supported in NAT. Rule "+rule->getLabel());
}
}
@ -646,16 +662,19 @@ void NATCompiler_pix::UseFirewallInterfaces::scanInterfaces(RuleElement *rel)
" ( found object with type "+
string((o!=NULL)?o->getTypeName():"<NULL>") +
")");
const InetAddr *obj_addr = obj->getAddressPtr();
if (obj_addr==NULL) return;
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *interface_=Interface::cast(*i);
if ((*interface_->getAddressPtr()) == *(obj->getAddressPtr()))
Interface *iface=Interface::cast(*i);
const InetAddr *iface_addr = iface->getAddressPtr();
if (iface_addr == NULL) continue;
if (*iface_addr == *obj_addr)
{
rel->removeRef(obj);
rel->addRef(interface_);
rel->addRef(iface);
return;
}
}

86
src/pix/OSConfigurator_pix_os.cpp
View File

@ -178,23 +178,28 @@ string OSConfigurator_pix_os::_printLogging()
ostringstream str;
bool logging_on=false;
string syslog_host = fw->getOptionsObject()->getStr("pix_syslog_host");
int syslog_queue_size=fw->getOptionsObject()->getInt("pix_syslog_queue_size");
string syslog_facility= fw->getOptionsObject()->getStr("pix_syslog_facility");
string trap_level= fw->getOptionsObject()->getStr("pix_logging_trap_level");
bool buffered= fw->getOptionsObject()->getBool("pix_logging_buffered");
string buffered_level= fw->getOptionsObject()->getStr("pix_logging_buffered_level");
bool console= fw->getOptionsObject()->getBool("pix_logging_console");
string console_level= fw->getOptionsObject()->getStr("pix_logging_console_level");
bool timestamp= fw->getOptionsObject()->getBool("pix_logging_timestamp");
string syslog_host = fw->getOptionsObject()->getStr("pix_syslog_host");
int syslog_queue_size = fw->getOptionsObject()->getInt(
"pix_syslog_queue_size");
string syslog_facility = fw->getOptionsObject()->getStr(
"pix_syslog_facility");
string trap_level = fw->getOptionsObject()->getStr(
"pix_logging_trap_level");
bool buffered = fw->getOptionsObject()->getBool("pix_logging_buffered");
string buffered_level = fw->getOptionsObject()->getStr(
"pix_logging_buffered_level");
bool console = fw->getOptionsObject()->getBool("pix_logging_console");
string console_level = fw->getOptionsObject()->getStr(
"pix_logging_console_level");
bool timestamp = fw->getOptionsObject()->getBool("pix_logging_timestamp");
if ( ! syslog_host.empty() )
{
string iface_id=helper.findInterfaceByNetzone(InetAddr(syslog_host));
if (iface_id.empty()) abort("Log server "+syslog_host+" does not belong to any known network zone");
InetAddr syslog_addr(syslog_host);
string iface_id = helper.findInterfaceByNetzone(&syslog_addr);
if (iface_id.empty())
abort("Log server " + syslog_host +
" does not belong to any known network zone");
Interface *syslog_iface = getCachedFwInterface(iface_id);
str << endl;
@ -251,18 +256,21 @@ string OSConfigurator_pix_os::_printLogging()
return str.str();
}
string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,int poll_trap)
string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,
int poll_trap)
{
Helper helper(this);
ostringstream str;
string iface_id=helper.findInterfaceByNetzone( InetAddr(srv) );
InetAddr srv_addr(srv);
string iface_id=helper.findInterfaceByNetzone(&srv_addr);
if (iface_id.empty())
abort(string("SNMP server ")+srv+" does not belong to any known network zone");
abort(string("SNMP server ") + srv +
" does not belong to any known network zone");
Interface *snmp_iface = getCachedFwInterface(iface_id);
str << "snmp-server host " << snmp_iface->getLabel() << " " << srv;
switch (poll_trap) {
switch (poll_trap)
{
case 1: str << " poll" << endl; break;
case 2: str << " trap" << endl; break;
default: str << endl; break;
@ -276,9 +284,12 @@ string OSConfigurator_pix_os::_printSNMP()
string version = fw->getStr("version");
string platform = fw->getStr("platform");
bool set_communities=fw->getOptionsObject()->getBool("pix_set_communities_from_object_data");
bool set_sysinfo= fw->getOptionsObject()->getBool("pix_set_sysinfo_from_object_data" );
bool enable_traps= fw->getOptionsObject()->getBool("pix_enable_snmp_traps");
bool set_communities = fw->getOptionsObject()->getBool(
"pix_set_communities_from_object_data");
bool set_sysinfo = fw->getOptionsObject()->getBool(
"pix_set_sysinfo_from_object_data" );
bool enable_traps = fw->getOptionsObject()->getBool(
"pix_enable_snmp_traps");
string clearSNMPcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/version_")+
@ -294,7 +305,8 @@ string OSConfigurator_pix_os::_printSNMP()
{
if (set_communities) {
string read_c=fw->getManagementObject()->getSNMPManagement()->getReadCommunity();
string read_c = fw->getManagementObject()->
getSNMPManagement()->getReadCommunity();
str << endl;
str << "snmp-server community " << read_c << endl;
}
@ -303,8 +315,10 @@ string OSConfigurator_pix_os::_printSNMP()
string location=fw->getOptionsObject()->getStr("snmp_location");
string contact =fw->getOptionsObject()->getStr("snmp_contact");
str << endl;
if (!location.empty()) str << "snmp-server location " << location << endl;
if (!contact.empty()) str << "snmp-server contact " << contact << endl;
if (!location.empty())
str << "snmp-server location " << location << endl;
if (!contact.empty())
str << "snmp-server contact " << contact << endl;
}
if (enable_traps) {
@ -315,10 +329,14 @@ string OSConfigurator_pix_os::_printSNMP()
str << "no snmp-server enable traps" << endl;
}
string snmp_server_1= fw->getOptionsObject()->getStr("pix_snmp_server1");
string snmp_server_2= fw->getOptionsObject()->getStr("pix_snmp_server2");
int snmp_poll_traps_1= fw->getOptionsObject()->getInt("pix_snmp_poll_traps_1");
int snmp_poll_traps_2= fw->getOptionsObject()->getInt("pix_snmp_poll_traps_2");
string snmp_server_1 = fw->getOptionsObject()->getStr(
"pix_snmp_server1");
string snmp_server_2 = fw->getOptionsObject()->getStr(
"pix_snmp_server2");
int snmp_poll_traps_1 = fw->getOptionsObject()->getInt(
"pix_snmp_poll_traps_1");
int snmp_poll_traps_2 = fw->getOptionsObject()->getInt(
"pix_snmp_poll_traps_2");
if (!snmp_server_1.empty())
str << _printSNMPServer(snmp_server_1,snmp_poll_traps_1);
@ -334,9 +352,10 @@ string OSConfigurator_pix_os::_printNTPServer(const std::string &srv,bool pref)
Helper helper(this);
ostringstream str;
string iface_id=helper.findInterfaceByNetzone( InetAddr(srv) );
if (iface_id.empty()) abort("NTP server "+srv+" does not belong to any known network zone");
InetAddr srv_addr(srv);
string iface_id=helper.findInterfaceByNetzone(&srv_addr);
if (iface_id.empty())
abort("NTP server "+srv+" does not belong to any known network zone");
Interface *ntp_iface = getCachedFwInterface(iface_id);
str << "ntp server " << srv << " source " << ntp_iface->getLabel();
if (pref) str << " prefer";
@ -460,7 +479,8 @@ string OSConfigurator_pix_os::_printSysopt()
return res.str();
}
string OSConfigurator_pix_os::_printServiceTimeout(const std::string &pix_service)
string OSConfigurator_pix_os::_printServiceTimeout(
const std::string &pix_service)
{
ostringstream res;
string hh,mm,ss;

52
src/pix/PolicyCompiler_pix_writers.cpp
View File

@ -351,11 +351,6 @@ string PolicyCompiler_pix::PrintRule::_printDstService(libfwbuilder::Service *sr
string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o)
{
ostringstream str;
const InetAddr *srcaddr = o->getAddressPtr();
InetAddr srcmask = *(o->getNetmaskPtr());
if (Interface::cast(o)!=NULL)
{
Interface *interface_=Interface::cast(o);
@ -363,28 +358,43 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o)
{
return string("interface ") + interface_->getLabel() + " ";
}
srcmask = InetAddr(InetAddr::getAllOnes());
}
if (IPv4::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
ostringstream str;
if (srcaddr->isAny() && srcmask.isAny())
const InetAddr *srcaddr = o->getAddressPtr();
if (srcaddr)
{
str << "any ";
} else {
if (srcmask.isHostMask())
InetAddr srcmask = *(o->getNetmaskPtr());
if (Interface::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
if (IPv4::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
if (srcaddr->isAny() && srcmask.isAny())
{
str << "host " << srcaddr->toString() << " ";
} else
{
str << srcaddr->toString() << " ";
str << srcmask.toString() << " ";
}
str << "any ";
} else {
if (srcmask.isHostMask())
{
str << "host " << srcaddr->toString() << " ";
} else
{
str << srcaddr->toString() << " ";
str << srcmask.toString() << " ";
}
}
return str.str();
} else
{
compiler->abort(string("Object ") + o->getName() +
string(" (id=") + o->getId() + string(") ") +
string(" has no ip address and can not be used ") +
string("in the rule."));
}
return str.str();
}
bool PolicyCompiler_pix::PrintRule::suppressDuplicateICMPCommands(const string &cmd)

2
test/iosacl/do-diff
View File

@ -10,6 +10,6 @@ else
TOOL="diff -u -b -B"
fi
$TOOL firewall${N}.fw.orig firewall${N}.fw
$TOOL ${N}.fw.orig ${N}.fw