diff --git a/src/cisco_lib/Helper.cpp b/src/cisco_lib/Helper.cpp index 472589651..b34a0933a 100644 --- a/src/cisco_lib/Helper.cpp +++ b/src/cisco_lib/Helper.cpp @@ -100,27 +100,31 @@ void Helper::expand_group_recursive(FWObject *o,list &ol) string Helper::findInterfaceByAddress(libfwbuilder::Address *obj) { - return findInterfaceByAddress( *(obj->getAddressPtr()) ); + return findInterfaceByAddress( obj->getAddressPtr() ); } -string Helper::findInterfaceByAddress(const libfwbuilder::InetAddr &addr) +string Helper::findInterfaceByAddress(const libfwbuilder::InetAddr *addr) { + if (addr==NULL) return ""; + Firewall *fw=compiler->fw; list l2=fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { Interface *iface=Interface::cast(*i); - if ( iface->belongs( addr ) ) return iface->getId(); + if ( iface->belongs( *addr ) ) return iface->getId(); } return ""; } string Helper::findInterfaceByNetzone(Address *obj) { - return findInterfaceByNetzone(*(obj->getAddressPtr())); + return findInterfaceByNetzone(obj->getAddressPtr()); } -string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string) +string Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string) { + if (addr==NULL) return ""; + Firewall *fw=compiler->fw; map zones; FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); @@ -134,7 +138,7 @@ string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string) j!=netzone->end(); ++j) { assert(Address::cast(*j)!=NULL); - if (Address::cast(*j)->belongs(addr)) + if (Address::cast(*j)->belongs(*addr)) zones[(*i)->getId()]=netzone; } } @@ -163,13 +167,11 @@ string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string) * Subnets defined by addresses of interfaces are automatically part * of the corresponding network zones */ - if (res_id.empty()) - res_id=findInterfaceByAddress( addr ); + if (res_id.empty()) res_id=findInterfaceByAddress( addr ); if (res_id.empty()) - throw( - string("Can not find interface with network zone that includes " - "address ") + addr.toString()); + throw(string("Can not find interface with network zone that includes " + "address ") + addr->toString()); return res_id; } diff --git a/src/cisco_lib/Helper.h b/src/cisco_lib/Helper.h index 85af19513..f89d904dd 100644 --- a/src/cisco_lib/Helper.h +++ b/src/cisco_lib/Helper.h @@ -49,14 +49,14 @@ namespace fwcompiler { * finds interface of the firewall to whose subnet object * 'obj' belongs to. Returns interface ID */ - std::string findInterfaceByAddress(const libfwbuilder::InetAddr &a); + std::string findInterfaceByAddress(const libfwbuilder::InetAddr *a); std::string findInterfaceByAddress(libfwbuilder::Address *obj); /** * finds interface of the firewall associated with the netzone * that object 'obj' belongs to. Returns interface ID */ - std::string findInterfaceByNetzone(const libfwbuilder::InetAddr &a) + std::string findInterfaceByNetzone(const libfwbuilder::InetAddr *a) throw(std::string); std::string findInterfaceByNetzone(libfwbuilder::Address *obj); std::list findInterfaceByNetzoneOrAll( diff --git a/src/iosacl/PolicyCompiler_iosacl_writers.cpp b/src/iosacl/PolicyCompiler_iosacl_writers.cpp index 681ba1684..128317d7f 100644 --- a/src/iosacl/PolicyCompiler_iosacl_writers.cpp +++ b/src/iosacl/PolicyCompiler_iosacl_writers.cpp @@ -369,11 +369,6 @@ string PolicyCompiler_iosacl::PrintRule::_printDstService(Service *srv) string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o) { - ostringstream str; - - const InetAddr *srcaddr = o->getAddressPtr(); - InetAddr srcmask = *(o->getNetmaskPtr()); - if (Interface::cast(o)!=NULL) { Interface *interface_=Interface::cast(o); @@ -381,36 +376,50 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o) { return string("interface ") + interface_->getLabel() + " "; } - - srcmask = InetAddr(InetAddr::getAllOnes()); } - if (IPv4::cast(o)!=NULL) - srcmask = InetAddr(InetAddr::getAllOnes()); + ostringstream str; - - if (srcaddr->isAny() && srcmask.isAny()) + const InetAddr *srcaddr = o->getAddressPtr(); + if (srcaddr) { - str << "any "; - } else { - if (srcmask.isHostMask()) + InetAddr srcmask = *(o->getNetmaskPtr()); + + if (Interface::cast(o)!=NULL) + srcmask = InetAddr(InetAddr::getAllOnes()); + + if (IPv4::cast(o)!=NULL) + srcmask = InetAddr(InetAddr::getAllOnes()); + + if (srcaddr->isAny() && srcmask.isAny()) { - str << "host " << srcaddr->toString() << " "; - } else - { - str << srcaddr->toString() << " "; + str << "any "; + } else { + if (srcmask.isHostMask()) + { + str << "host " << srcaddr->toString() << " "; + } else + { + str << srcaddr->toString() << " "; - // cisco uses "wildcards" instead of netmasks + // cisco uses "wildcards" instead of netmasks - //long nm = srcmask.to32BitInt(); - //struct in_addr na; - //na.s_addr = ~nm; - InetAddr nnm( ~srcmask ); + //long nm = srcmask.to32BitInt(); + //struct in_addr na; + //na.s_addr = ~nm; + InetAddr nnm( ~srcmask ); - str << nnm.toString() << " "; - } + str << nnm.toString() << " "; + } + } + return str.str(); + } else + { + compiler->abort(string("Object ") + o->getName() + + string(" (id=") + o->getId() + string(") ") + + string(" has no ip address and can not be used ") + + string("in the rule.")); } - return str.str(); } /* diff --git a/src/pix/NATCompiler_pix.cpp b/src/pix/NATCompiler_pix.cpp index 5fe31a543..84768dcb1 100644 --- a/src/pix/NATCompiler_pix.cpp +++ b/src/pix/NATCompiler_pix.cpp @@ -350,9 +350,13 @@ bool NATCompiler_pix::AssignInterface::processNext() rule->setStr("nat_iface_trn", helper.findInterfaceByNetzone(a2)); if ( rule->getStr("nat_iface_orig")=="" ) - compiler->abort("Object '"+a1->getName()+"' does not belong to any known network zone. Rule: "+rule->getLabel()); + compiler->abort("Object '" + a1->getName() + + "' does not belong to any known network zone. Rule: " + + rule->getLabel()); if ( rule->getStr("nat_iface_trn")=="" ) - compiler->abort("Object '"+a2->getName()+"' does not belong to any known network zone. Rule: "+rule->getLabel()); + compiler->abort("Object '" + a2->getName() + + "' does not belong to any known network zone. Rule: " + + rule->getLabel()); // if ( rule->getStr("nat_iface_orig")==rule->getStr("nat_iface_trn")) // compiler->abort("Objects '"+a1->getName()+"' and '"+a2->getName()+"' belong to the same network zone. Can not build NAT configuration. Rule: "+rule->getLabel()); @@ -368,13 +372,17 @@ bool NATCompiler_pix::verifyInterfaces::processNext() #ifdef WRONG_CHECK if ( rule->getStr("nat_iface_orig")!=rule->getStr("nat_iface_trn") ) { - if (rule->getRuleType()==NATRule::SNAT) { + if (rule->getRuleType()==NATRule::SNAT) + { Interface *iface1= - Interface::cast( rule->getRoot()->findInIndex(rule->getStr("nat_iface_orig")) ); + Interface::cast( rule->getRoot()->findInIndex( + rule->getStr("nat_iface_orig")) ); Interface *iface2= - Interface::cast( rule->getRoot()->findInIndex(rule->getStr("nat_iface_trn")) ); + Interface::cast( rule->getRoot()->findInIndex( + rule->getStr("nat_iface_trn")) ); - if ( iface1->getSecurityLevel() <= iface2->getSecurityLevel() ) { + if ( iface1->getSecurityLevel() <= iface2->getSecurityLevel() ) + { char lvl1[32]; char lvl2[32]; sprintf(lvl1,"%d",iface1->getSecurityLevel()); @@ -405,19 +413,22 @@ bool NATCompiler_pix::verifyRuleElements::processNext() Address *tdst=compiler->getFirstTDst(rule); assert(tdst); Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); - bool version_lt_63=libfwbuilder::XMLTools::version_compare(compiler->fw->getStr("version"),"6.3")<0; + bool version_lt_63 = libfwbuilder::XMLTools::version_compare( + compiler->fw->getStr("version"),"6.3")<0; if (rule->getRuleType()==NATRule::SNAT) { if ((! osrv->isAny() || ! tsrv->isAny()) && version_lt_63) - compiler->abort("only PIX v6.3 recognizes services in global NAT. Rule: "+rule->getLabel() ); + compiler->abort("only PIX v6.3 recognizes services in global NAT. " + "Rule: "+rule->getLabel() ); } if (rule->getRuleType()==NATRule::DNAT) { if (AddressRange::cast(odst) || AddressRange::cast(tdst)) compiler->abort( - "Address ranges are not supported in original destination or translated destination in NAT rule "+rule->getLabel() ); + "Address ranges are not supported in original destination or " + "translated destination in NAT rule "+rule->getLabel() ); if (Network::isA(odst) && Network::isA(tdst)) { @@ -428,15 +439,18 @@ bool NATCompiler_pix::verifyRuleElements::processNext() if ( !(n1==n2) ) compiler->abort( - "Original and translated destination must be of the same size in the NAT rule "+rule->getLabel()); + "Original and translated destination must be of the same " + "size in the NAT rule "+rule->getLabel()); } if (osrv->getTypeName()!=tsrv->getTypeName()) - compiler->abort("Original and translated services must be of the same type. Rule: "+rule->getLabel()); + compiler->abort("Original and translated services must be of " + "the same type. Rule: "+rule->getLabel()); if (ICMPService::isA(osrv)) - compiler->abort("ICMP services are not supported in static NAT. Rule: "+rule->getLabel()); + compiler->abort("ICMP services are not supported in static NAT. " + "Rule: "+rule->getLabel()); if (TCPService::isA(osrv) || UDPService::isA(osrv)) { @@ -444,7 +458,8 @@ bool NATCompiler_pix::verifyRuleElements::processNext() int dre=osrv->getInt("dst_range_end"); if (drs!=dre) - compiler->abort("TCP or UDP service with a port range is not supported in NAT. Rule "+rule->getLabel()); + compiler->abort("TCP or UDP service with a port range is not " + "supported in NAT. Rule "+rule->getLabel()); } if (TCPService::isA(tsrv) || UDPService::isA(tsrv)) { @@ -452,7 +467,8 @@ bool NATCompiler_pix::verifyRuleElements::processNext() int dre=tsrv->getInt("dst_range_end"); if (drs!=dre) - compiler->abort("TCP or UDP service with a port range is not supported in NAT. Rule "+rule->getLabel()); + compiler->abort("TCP or UDP service with a port range is not " + "supported in NAT. Rule "+rule->getLabel()); } } @@ -646,16 +662,19 @@ void NATCompiler_pix::UseFirewallInterfaces::scanInterfaces(RuleElement *rel) " ( found object with type "+ string((o!=NULL)?o->getTypeName():"") + ")"); + const InetAddr *obj_addr = obj->getAddressPtr(); + if (obj_addr==NULL) return; list l2=compiler->fw->getByType(Interface::TYPENAME); for (list::iterator i=l2.begin(); i!=l2.end(); ++i) { - Interface *interface_=Interface::cast(*i); - - if ((*interface_->getAddressPtr()) == *(obj->getAddressPtr())) + Interface *iface=Interface::cast(*i); + const InetAddr *iface_addr = iface->getAddressPtr(); + if (iface_addr == NULL) continue; + if (*iface_addr == *obj_addr) { rel->removeRef(obj); - rel->addRef(interface_); + rel->addRef(iface); return; } } diff --git a/src/pix/OSConfigurator_pix_os.cpp b/src/pix/OSConfigurator_pix_os.cpp index b66a1816f..803259409 100644 --- a/src/pix/OSConfigurator_pix_os.cpp +++ b/src/pix/OSConfigurator_pix_os.cpp @@ -178,23 +178,28 @@ string OSConfigurator_pix_os::_printLogging() ostringstream str; bool logging_on=false; - string syslog_host = fw->getOptionsObject()->getStr("pix_syslog_host"); - int syslog_queue_size=fw->getOptionsObject()->getInt("pix_syslog_queue_size"); - string syslog_facility= fw->getOptionsObject()->getStr("pix_syslog_facility"); - string trap_level= fw->getOptionsObject()->getStr("pix_logging_trap_level"); - - bool buffered= fw->getOptionsObject()->getBool("pix_logging_buffered"); - string buffered_level= fw->getOptionsObject()->getStr("pix_logging_buffered_level"); - - bool console= fw->getOptionsObject()->getBool("pix_logging_console"); - string console_level= fw->getOptionsObject()->getStr("pix_logging_console_level"); - - bool timestamp= fw->getOptionsObject()->getBool("pix_logging_timestamp"); + string syslog_host = fw->getOptionsObject()->getStr("pix_syslog_host"); + int syslog_queue_size = fw->getOptionsObject()->getInt( + "pix_syslog_queue_size"); + string syslog_facility = fw->getOptionsObject()->getStr( + "pix_syslog_facility"); + string trap_level = fw->getOptionsObject()->getStr( + "pix_logging_trap_level"); + bool buffered = fw->getOptionsObject()->getBool("pix_logging_buffered"); + string buffered_level = fw->getOptionsObject()->getStr( + "pix_logging_buffered_level"); + bool console = fw->getOptionsObject()->getBool("pix_logging_console"); + string console_level = fw->getOptionsObject()->getStr( + "pix_logging_console_level"); + bool timestamp = fw->getOptionsObject()->getBool("pix_logging_timestamp"); if ( ! syslog_host.empty() ) { - string iface_id=helper.findInterfaceByNetzone(InetAddr(syslog_host)); - if (iface_id.empty()) abort("Log server "+syslog_host+" does not belong to any known network zone"); + InetAddr syslog_addr(syslog_host); + string iface_id = helper.findInterfaceByNetzone(&syslog_addr); + if (iface_id.empty()) + abort("Log server " + syslog_host + + " does not belong to any known network zone"); Interface *syslog_iface = getCachedFwInterface(iface_id); str << endl; @@ -251,18 +256,21 @@ string OSConfigurator_pix_os::_printLogging() return str.str(); } -string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,int poll_trap) +string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv, + int poll_trap) { Helper helper(this); ostringstream str; - - string iface_id=helper.findInterfaceByNetzone( InetAddr(srv) ); + InetAddr srv_addr(srv); + string iface_id=helper.findInterfaceByNetzone(&srv_addr); if (iface_id.empty()) - abort(string("SNMP server ")+srv+" does not belong to any known network zone"); + abort(string("SNMP server ") + srv + + " does not belong to any known network zone"); Interface *snmp_iface = getCachedFwInterface(iface_id); str << "snmp-server host " << snmp_iface->getLabel() << " " << srv; - switch (poll_trap) { + switch (poll_trap) + { case 1: str << " poll" << endl; break; case 2: str << " trap" << endl; break; default: str << endl; break; @@ -276,9 +284,12 @@ string OSConfigurator_pix_os::_printSNMP() string version = fw->getStr("version"); string platform = fw->getStr("platform"); - bool set_communities=fw->getOptionsObject()->getBool("pix_set_communities_from_object_data"); - bool set_sysinfo= fw->getOptionsObject()->getBool("pix_set_sysinfo_from_object_data" ); - bool enable_traps= fw->getOptionsObject()->getBool("pix_enable_snmp_traps"); + bool set_communities = fw->getOptionsObject()->getBool( + "pix_set_communities_from_object_data"); + bool set_sysinfo = fw->getOptionsObject()->getBool( + "pix_set_sysinfo_from_object_data" ); + bool enable_traps = fw->getOptionsObject()->getBool( + "pix_enable_snmp_traps"); string clearSNMPcmd = Resources::platform_res[platform]->getResourceStr( string("/FWBuilderResources/Target/options/version_")+ @@ -294,7 +305,8 @@ string OSConfigurator_pix_os::_printSNMP() { if (set_communities) { - string read_c=fw->getManagementObject()->getSNMPManagement()->getReadCommunity(); + string read_c = fw->getManagementObject()-> + getSNMPManagement()->getReadCommunity(); str << endl; str << "snmp-server community " << read_c << endl; } @@ -303,8 +315,10 @@ string OSConfigurator_pix_os::_printSNMP() string location=fw->getOptionsObject()->getStr("snmp_location"); string contact =fw->getOptionsObject()->getStr("snmp_contact"); str << endl; - if (!location.empty()) str << "snmp-server location " << location << endl; - if (!contact.empty()) str << "snmp-server contact " << contact << endl; + if (!location.empty()) + str << "snmp-server location " << location << endl; + if (!contact.empty()) + str << "snmp-server contact " << contact << endl; } if (enable_traps) { @@ -315,10 +329,14 @@ string OSConfigurator_pix_os::_printSNMP() str << "no snmp-server enable traps" << endl; } - string snmp_server_1= fw->getOptionsObject()->getStr("pix_snmp_server1"); - string snmp_server_2= fw->getOptionsObject()->getStr("pix_snmp_server2"); - int snmp_poll_traps_1= fw->getOptionsObject()->getInt("pix_snmp_poll_traps_1"); - int snmp_poll_traps_2= fw->getOptionsObject()->getInt("pix_snmp_poll_traps_2"); + string snmp_server_1 = fw->getOptionsObject()->getStr( + "pix_snmp_server1"); + string snmp_server_2 = fw->getOptionsObject()->getStr( + "pix_snmp_server2"); + int snmp_poll_traps_1 = fw->getOptionsObject()->getInt( + "pix_snmp_poll_traps_1"); + int snmp_poll_traps_2 = fw->getOptionsObject()->getInt( + "pix_snmp_poll_traps_2"); if (!snmp_server_1.empty()) str << _printSNMPServer(snmp_server_1,snmp_poll_traps_1); @@ -334,9 +352,10 @@ string OSConfigurator_pix_os::_printNTPServer(const std::string &srv,bool pref) Helper helper(this); ostringstream str; - - string iface_id=helper.findInterfaceByNetzone( InetAddr(srv) ); - if (iface_id.empty()) abort("NTP server "+srv+" does not belong to any known network zone"); + InetAddr srv_addr(srv); + string iface_id=helper.findInterfaceByNetzone(&srv_addr); + if (iface_id.empty()) + abort("NTP server "+srv+" does not belong to any known network zone"); Interface *ntp_iface = getCachedFwInterface(iface_id); str << "ntp server " << srv << " source " << ntp_iface->getLabel(); if (pref) str << " prefer"; @@ -460,7 +479,8 @@ string OSConfigurator_pix_os::_printSysopt() return res.str(); } -string OSConfigurator_pix_os::_printServiceTimeout(const std::string &pix_service) +string OSConfigurator_pix_os::_printServiceTimeout( + const std::string &pix_service) { ostringstream res; string hh,mm,ss; diff --git a/src/pix/PolicyCompiler_pix_writers.cpp b/src/pix/PolicyCompiler_pix_writers.cpp index b45ed7a56..6ccd72e33 100644 --- a/src/pix/PolicyCompiler_pix_writers.cpp +++ b/src/pix/PolicyCompiler_pix_writers.cpp @@ -351,11 +351,6 @@ string PolicyCompiler_pix::PrintRule::_printDstService(libfwbuilder::Service *sr string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o) { - ostringstream str; - - const InetAddr *srcaddr = o->getAddressPtr(); - InetAddr srcmask = *(o->getNetmaskPtr()); - if (Interface::cast(o)!=NULL) { Interface *interface_=Interface::cast(o); @@ -363,28 +358,43 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o) { return string("interface ") + interface_->getLabel() + " "; } - - srcmask = InetAddr(InetAddr::getAllOnes()); } - if (IPv4::cast(o)!=NULL) - srcmask = InetAddr(InetAddr::getAllOnes()); + ostringstream str; - - if (srcaddr->isAny() && srcmask.isAny()) + const InetAddr *srcaddr = o->getAddressPtr(); + if (srcaddr) { - str << "any "; - } else { - if (srcmask.isHostMask()) + InetAddr srcmask = *(o->getNetmaskPtr()); + + if (Interface::cast(o)!=NULL) + srcmask = InetAddr(InetAddr::getAllOnes()); + + if (IPv4::cast(o)!=NULL) + srcmask = InetAddr(InetAddr::getAllOnes()); + + + if (srcaddr->isAny() && srcmask.isAny()) { - str << "host " << srcaddr->toString() << " "; - } else - { - str << srcaddr->toString() << " "; - str << srcmask.toString() << " "; - } + str << "any "; + } else { + if (srcmask.isHostMask()) + { + str << "host " << srcaddr->toString() << " "; + } else + { + str << srcaddr->toString() << " "; + str << srcmask.toString() << " "; + } + } + return str.str(); + } else + { + compiler->abort(string("Object ") + o->getName() + + string(" (id=") + o->getId() + string(") ") + + string(" has no ip address and can not be used ") + + string("in the rule.")); } - return str.str(); } bool PolicyCompiler_pix::PrintRule::suppressDuplicateICMPCommands(const string &cmd) diff --git a/test/iosacl/do-diff b/test/iosacl/do-diff index 254dd941d..98ef80063 100755 --- a/test/iosacl/do-diff +++ b/test/iosacl/do-diff @@ -10,6 +10,6 @@ else TOOL="diff -u -b -B" fi -$TOOL firewall${N}.fw.orig firewall${N}.fw +$TOOL ${N}.fw.orig ${N}.fw