onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 10:17:16 +01:00
Code Issues Releases Wiki Activity

compilers for iosacl and pix use getAddressPtr

Browse Source
This commit is contained in:
Vadim Kurland 2008-05-20 00:02:10 +00:00
parent 41d6790592
commit c5f9a8f99b
7 changed files with 172 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/cisco_lib/Helper.cpp
View File

@ -100,27 +100,31 @@ void Helper::expand_group_recursive(FWObject *o,list<FWObject*> &ol)
string Helper::findInterfaceByAddress(libfwbuilder::Address *obj) string Helper::findInterfaceByAddress(libfwbuilder::Address *obj)
{ {
return findInterfaceByAddress( *(obj->getAddressPtr()) ); return findInterfaceByAddress( obj->getAddressPtr() );
} }
string Helper::findInterfaceByAddress(const libfwbuilder::InetAddr &addr) string Helper::findInterfaceByAddress(const libfwbuilder::InetAddr *addr)
{ {
if (addr==NULL) return "";
Firewall *fw=compiler->fw; Firewall *fw=compiler->fw;
list<FWObject*> l2=fw->getByType(Interface::TYPENAME); list<FWObject*> l2=fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i) { for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i) {
Interface *iface=Interface::cast(*i); Interface *iface=Interface::cast(*i);
if ( iface->belongs( addr ) ) return iface->getId(); if ( iface->belongs( *addr ) ) return iface->getId();
} }
return ""; return "";
} }
string Helper::findInterfaceByNetzone(Address *obj) string Helper::findInterfaceByNetzone(Address *obj)
{ {
return findInterfaceByNetzone(*(obj->getAddressPtr())); return findInterfaceByNetzone(obj->getAddressPtr());
} }
string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string) string Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
{ {
if (addr==NULL) return "";
Firewall *fw=compiler->fw; Firewall *fw=compiler->fw;
map<string,FWObject*> zones; map<string,FWObject*> zones;
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
@ -134,7 +138,7 @@ string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string)
j!=netzone->end(); ++j) j!=netzone->end(); ++j)
{ {
assert(Address::cast(*j)!=NULL); assert(Address::cast(*j)!=NULL);
if (Address::cast(*j)->belongs(addr)) if (Address::cast(*j)->belongs(*addr))
zones[(*i)->getId()]=netzone; zones[(*i)->getId()]=netzone;
} }
} }
@ -163,13 +167,11 @@ string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string)
* Subnets defined by addresses of interfaces are automatically part * Subnets defined by addresses of interfaces are automatically part
* of the corresponding network zones * of the corresponding network zones
*/ */
if (res_id.empty()) if (res_id.empty()) res_id=findInterfaceByAddress( addr );
res_id=findInterfaceByAddress( addr );
if (res_id.empty()) if (res_id.empty())
throw( throw(string("Can not find interface with network zone that includes "
string("Can not find interface with network zone that includes " "address ") + addr->toString());
"address ") + addr.toString());
return res_id; return res_id;
} }

4
src/cisco_lib/Helper.h
View File

@ -49,14 +49,14 @@ namespace fwcompiler {
* finds interface of the firewall to whose subnet object * finds interface of the firewall to whose subnet object
* 'obj' belongs to. Returns interface ID * 'obj' belongs to. Returns interface ID
*/ */
std::string findInterfaceByAddress(const libfwbuilder::InetAddr &a); std::string findInterfaceByAddress(const libfwbuilder::InetAddr *a);
std::string findInterfaceByAddress(libfwbuilder::Address *obj); std::string findInterfaceByAddress(libfwbuilder::Address *obj);
/** /**
* finds interface of the firewall associated with the netzone * finds interface of the firewall associated with the netzone
* that object 'obj' belongs to. Returns interface ID * that object 'obj' belongs to. Returns interface ID
*/ */
std::string findInterfaceByNetzone(const libfwbuilder::InetAddr &a) std::string findInterfaceByNetzone(const libfwbuilder::InetAddr *a)
throw(std::string); throw(std::string);
std::string findInterfaceByNetzone(libfwbuilder::Address *obj); std::string findInterfaceByNetzone(libfwbuilder::Address *obj);
std::list<std::string> findInterfaceByNetzoneOrAll( std::list<std::string> findInterfaceByNetzoneOrAll(

61
src/iosacl/PolicyCompiler_iosacl_writers.cpp
View File

@ -369,11 +369,6 @@ string PolicyCompiler_iosacl::PrintRule::_printDstService(Service *srv)
string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o) string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o)
{ {
ostringstream str;
const InetAddr *srcaddr = o->getAddressPtr();
InetAddr srcmask = *(o->getNetmaskPtr());
if (Interface::cast(o)!=NULL) if (Interface::cast(o)!=NULL)
{ {
Interface *interface_=Interface::cast(o); Interface *interface_=Interface::cast(o);
@ -381,36 +376,50 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o)
{ {
return string("interface ") + interface_->getLabel() + " "; return string("interface ") + interface_->getLabel() + " ";
} }
srcmask = InetAddr(InetAddr::getAllOnes());
} }
if (IPv4::cast(o)!=NULL) ostringstream str;
srcmask = InetAddr(InetAddr::getAllOnes());
const InetAddr *srcaddr = o->getAddressPtr();
if (srcaddr->isAny() && srcmask.isAny()) if (srcaddr)
{ {
str << "any "; InetAddr srcmask = *(o->getNetmaskPtr());
} else {
if (srcmask.isHostMask()) if (Interface::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
if (IPv4::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
if (srcaddr->isAny() && srcmask.isAny())
{ {
str << "host " << srcaddr->toString() << " "; str << "any ";
} else } else {
{ if (srcmask.isHostMask())
str << srcaddr->toString() << " "; {
str << "host " << srcaddr->toString() << " ";
} else
{
str << srcaddr->toString() << " ";
// cisco uses "wildcards" instead of netmasks // cisco uses "wildcards" instead of netmasks
//long nm = srcmask.to32BitInt(); //long nm = srcmask.to32BitInt();
//struct in_addr na; //struct in_addr na;
//na.s_addr = ~nm; //na.s_addr = ~nm;
InetAddr nnm( ~srcmask ); InetAddr nnm( ~srcmask );
str << nnm.toString() << " "; str << nnm.toString() << " ";
} }
}
return str.str();
} else
{
compiler->abort(string("Object ") + o->getName() +
string(" (id=") + o->getId() + string(") ") +
string(" has no ip address and can not be used ") +
string("in the rule."));
} }
return str.str();
} }
/* /*

55
src/pix/NATCompiler_pix.cpp
View File

@ -350,9 +350,13 @@ bool NATCompiler_pix::AssignInterface::processNext()
rule->setStr("nat_iface_trn", helper.findInterfaceByNetzone(a2)); rule->setStr("nat_iface_trn", helper.findInterfaceByNetzone(a2));
if ( rule->getStr("nat_iface_orig")=="" ) if ( rule->getStr("nat_iface_orig")=="" )
compiler->abort("Object '"+a1->getName()+"' does not belong to any known network zone. Rule: "+rule->getLabel()); compiler->abort("Object '" + a1->getName() +
"' does not belong to any known network zone. Rule: " +
rule->getLabel());
if ( rule->getStr("nat_iface_trn")=="" ) if ( rule->getStr("nat_iface_trn")=="" )
compiler->abort("Object '"+a2->getName()+"' does not belong to any known network zone. Rule: "+rule->getLabel()); compiler->abort("Object '" + a2->getName() +
"' does not belong to any known network zone. Rule: " +
rule->getLabel());
// if ( rule->getStr("nat_iface_orig")==rule->getStr("nat_iface_trn")) // if ( rule->getStr("nat_iface_orig")==rule->getStr("nat_iface_trn"))
// compiler->abort("Objects '"+a1->getName()+"' and '"+a2->getName()+"' belong to the same network zone. Can not build NAT configuration. Rule: "+rule->getLabel()); // compiler->abort("Objects '"+a1->getName()+"' and '"+a2->getName()+"' belong to the same network zone. Can not build NAT configuration. Rule: "+rule->getLabel());
@ -368,13 +372,17 @@ bool NATCompiler_pix::verifyInterfaces::processNext()
#ifdef WRONG_CHECK #ifdef WRONG_CHECK
if ( rule->getStr("nat_iface_orig")!=rule->getStr("nat_iface_trn") ) if ( rule->getStr("nat_iface_orig")!=rule->getStr("nat_iface_trn") )
{ {
if (rule->getRuleType()==NATRule::SNAT) { if (rule->getRuleType()==NATRule::SNAT)
{
Interface *iface1= Interface *iface1=
Interface::cast( rule->getRoot()->findInIndex(rule->getStr("nat_iface_orig")) ); Interface::cast( rule->getRoot()->findInIndex(
rule->getStr("nat_iface_orig")) );
Interface *iface2= Interface *iface2=
Interface::cast( rule->getRoot()->findInIndex(rule->getStr("nat_iface_trn")) ); Interface::cast( rule->getRoot()->findInIndex(
rule->getStr("nat_iface_trn")) );
if ( iface1->getSecurityLevel() <= iface2->getSecurityLevel() ) { if ( iface1->getSecurityLevel() <= iface2->getSecurityLevel() )
{
char lvl1[32]; char lvl1[32];
char lvl2[32]; char lvl2[32];
sprintf(lvl1,"%d",iface1->getSecurityLevel()); sprintf(lvl1,"%d",iface1->getSecurityLevel());
@ -405,19 +413,22 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
Address *tdst=compiler->getFirstTDst(rule); assert(tdst); Address *tdst=compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv);
bool version_lt_63=libfwbuilder::XMLTools::version_compare(compiler->fw->getStr("version"),"6.3")<0; bool version_lt_63 = libfwbuilder::XMLTools::version_compare(
compiler->fw->getStr("version"),"6.3")<0;
if (rule->getRuleType()==NATRule::SNAT) if (rule->getRuleType()==NATRule::SNAT)
{ {
if ((! osrv->isAny() || ! tsrv->isAny()) && version_lt_63) if ((! osrv->isAny() || ! tsrv->isAny()) && version_lt_63)
compiler->abort("only PIX v6.3 recognizes services in global NAT. Rule: "+rule->getLabel() ); compiler->abort("only PIX v6.3 recognizes services in global NAT. "
"Rule: "+rule->getLabel() );
} }
if (rule->getRuleType()==NATRule::DNAT) if (rule->getRuleType()==NATRule::DNAT)
{ {
if (AddressRange::cast(odst) || AddressRange::cast(tdst)) if (AddressRange::cast(odst) || AddressRange::cast(tdst))
compiler->abort( compiler->abort(
"Address ranges are not supported in original destination or translated destination in NAT rule "+rule->getLabel() ); "Address ranges are not supported in original destination or "
"translated destination in NAT rule "+rule->getLabel() );
if (Network::isA(odst) && Network::isA(tdst)) if (Network::isA(odst) && Network::isA(tdst))
{ {
@ -428,15 +439,18 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
if ( !(n1==n2) ) if ( !(n1==n2) )
compiler->abort( compiler->abort(
"Original and translated destination must be of the same size in the NAT rule "+rule->getLabel()); "Original and translated destination must be of the same "
"size in the NAT rule "+rule->getLabel());
} }
if (osrv->getTypeName()!=tsrv->getTypeName()) if (osrv->getTypeName()!=tsrv->getTypeName())
compiler->abort("Original and translated services must be of the same type. Rule: "+rule->getLabel()); compiler->abort("Original and translated services must be of "
"the same type. Rule: "+rule->getLabel());
if (ICMPService::isA(osrv)) if (ICMPService::isA(osrv))
compiler->abort("ICMP services are not supported in static NAT. Rule: "+rule->getLabel()); compiler->abort("ICMP services are not supported in static NAT. "
"Rule: "+rule->getLabel());
if (TCPService::isA(osrv) || UDPService::isA(osrv)) if (TCPService::isA(osrv) || UDPService::isA(osrv))
{ {
@ -444,7 +458,8 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
int dre=osrv->getInt("dst_range_end"); int dre=osrv->getInt("dst_range_end");
if (drs!=dre) if (drs!=dre)
compiler->abort("TCP or UDP service with a port range is not supported in NAT. Rule "+rule->getLabel()); compiler->abort("TCP or UDP service with a port range is not "
"supported in NAT. Rule "+rule->getLabel());
} }
if (TCPService::isA(tsrv) || UDPService::isA(tsrv)) if (TCPService::isA(tsrv) || UDPService::isA(tsrv))
{ {
@ -452,7 +467,8 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
int dre=tsrv->getInt("dst_range_end"); int dre=tsrv->getInt("dst_range_end");
if (drs!=dre) if (drs!=dre)
compiler->abort("TCP or UDP service with a port range is not supported in NAT. Rule "+rule->getLabel()); compiler->abort("TCP or UDP service with a port range is not "
"supported in NAT. Rule "+rule->getLabel());
} }
} }
@ -646,16 +662,19 @@ void NATCompiler_pix::UseFirewallInterfaces::scanInterfaces(RuleElement *rel)
" ( found object with type "+ " ( found object with type "+
string((o!=NULL)?o->getTypeName():"<NULL>") + string((o!=NULL)?o->getTypeName():"<NULL>") +
")"); ")");
const InetAddr *obj_addr = obj->getAddressPtr();
if (obj_addr==NULL) return;
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME); list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i) for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{ {
Interface *interface_=Interface::cast(*i); Interface *iface=Interface::cast(*i);
const InetAddr *iface_addr = iface->getAddressPtr();
if ((*interface_->getAddressPtr()) == *(obj->getAddressPtr())) if (iface_addr == NULL) continue;
if (*iface_addr == *obj_addr)
{ {
rel->removeRef(obj); rel->removeRef(obj);
rel->addRef(interface_); rel->addRef(iface);
return; return;
} }
} }

86
src/pix/OSConfigurator_pix_os.cpp
View File

@ -178,23 +178,28 @@ string OSConfigurator_pix_os::_printLogging()
ostringstream str; ostringstream str;
bool logging_on=false; bool logging_on=false;
string syslog_host = fw->getOptionsObject()->getStr("pix_syslog_host"); string syslog_host = fw->getOptionsObject()->getStr("pix_syslog_host");
int syslog_queue_size=fw->getOptionsObject()->getInt("pix_syslog_queue_size"); int syslog_queue_size = fw->getOptionsObject()->getInt(
string syslog_facility= fw->getOptionsObject()->getStr("pix_syslog_facility"); "pix_syslog_queue_size");
string trap_level= fw->getOptionsObject()->getStr("pix_logging_trap_level"); string syslog_facility = fw->getOptionsObject()->getStr(
"pix_syslog_facility");
bool buffered= fw->getOptionsObject()->getBool("pix_logging_buffered"); string trap_level = fw->getOptionsObject()->getStr(
string buffered_level= fw->getOptionsObject()->getStr("pix_logging_buffered_level"); "pix_logging_trap_level");
bool buffered = fw->getOptionsObject()->getBool("pix_logging_buffered");
bool console= fw->getOptionsObject()->getBool("pix_logging_console"); string buffered_level = fw->getOptionsObject()->getStr(
string console_level= fw->getOptionsObject()->getStr("pix_logging_console_level"); "pix_logging_buffered_level");
bool console = fw->getOptionsObject()->getBool("pix_logging_console");
bool timestamp= fw->getOptionsObject()->getBool("pix_logging_timestamp"); string console_level = fw->getOptionsObject()->getStr(
"pix_logging_console_level");
bool timestamp = fw->getOptionsObject()->getBool("pix_logging_timestamp");
if ( ! syslog_host.empty() ) if ( ! syslog_host.empty() )
{ {
string iface_id=helper.findInterfaceByNetzone(InetAddr(syslog_host)); InetAddr syslog_addr(syslog_host);
if (iface_id.empty()) abort("Log server "+syslog_host+" does not belong to any known network zone"); string iface_id = helper.findInterfaceByNetzone(&syslog_addr);
if (iface_id.empty())
abort("Log server " + syslog_host +
" does not belong to any known network zone");
Interface *syslog_iface = getCachedFwInterface(iface_id); Interface *syslog_iface = getCachedFwInterface(iface_id);
str << endl; str << endl;
@ -251,18 +256,21 @@ string OSConfigurator_pix_os::_printLogging()
return str.str(); return str.str();
} }
string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,int poll_trap) string OSConfigurator_pix_os::_printSNMPServer(const std::string &srv,
int poll_trap)
{ {
Helper helper(this); Helper helper(this);
ostringstream str; ostringstream str;
InetAddr srv_addr(srv);
string iface_id=helper.findInterfaceByNetzone( InetAddr(srv) ); string iface_id=helper.findInterfaceByNetzone(&srv_addr);
if (iface_id.empty()) if (iface_id.empty())
abort(string("SNMP server ")+srv+" does not belong to any known network zone"); abort(string("SNMP server ") + srv +
" does not belong to any known network zone");
Interface *snmp_iface = getCachedFwInterface(iface_id); Interface *snmp_iface = getCachedFwInterface(iface_id);
str << "snmp-server host " << snmp_iface->getLabel() << " " << srv; str << "snmp-server host " << snmp_iface->getLabel() << " " << srv;
switch (poll_trap) { switch (poll_trap)
{
case 1: str << " poll" << endl; break; case 1: str << " poll" << endl; break;
case 2: str << " trap" << endl; break; case 2: str << " trap" << endl; break;
default: str << endl; break; default: str << endl; break;
@ -276,9 +284,12 @@ string OSConfigurator_pix_os::_printSNMP()
string version = fw->getStr("version"); string version = fw->getStr("version");
string platform = fw->getStr("platform"); string platform = fw->getStr("platform");
bool set_communities=fw->getOptionsObject()->getBool("pix_set_communities_from_object_data"); bool set_communities = fw->getOptionsObject()->getBool(
bool set_sysinfo= fw->getOptionsObject()->getBool("pix_set_sysinfo_from_object_data" ); "pix_set_communities_from_object_data");
bool enable_traps= fw->getOptionsObject()->getBool("pix_enable_snmp_traps"); bool set_sysinfo = fw->getOptionsObject()->getBool(
"pix_set_sysinfo_from_object_data" );
bool enable_traps = fw->getOptionsObject()->getBool(
"pix_enable_snmp_traps");
string clearSNMPcmd = Resources::platform_res[platform]->getResourceStr( string clearSNMPcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/version_")+ string("/FWBuilderResources/Target/options/version_")+
@ -294,7 +305,8 @@ string OSConfigurator_pix_os::_printSNMP()
{ {
if (set_communities) { if (set_communities) {
string read_c=fw->getManagementObject()->getSNMPManagement()->getReadCommunity(); string read_c = fw->getManagementObject()->
getSNMPManagement()->getReadCommunity();
str << endl; str << endl;
str << "snmp-server community " << read_c << endl; str << "snmp-server community " << read_c << endl;
} }
@ -303,8 +315,10 @@ string OSConfigurator_pix_os::_printSNMP()
string location=fw->getOptionsObject()->getStr("snmp_location"); string location=fw->getOptionsObject()->getStr("snmp_location");
string contact =fw->getOptionsObject()->getStr("snmp_contact"); string contact =fw->getOptionsObject()->getStr("snmp_contact");
str << endl; str << endl;
if (!location.empty()) str << "snmp-server location " << location << endl; if (!location.empty())
if (!contact.empty()) str << "snmp-server contact " << contact << endl; str << "snmp-server location " << location << endl;
if (!contact.empty())
str << "snmp-server contact " << contact << endl;
} }
if (enable_traps) { if (enable_traps) {
@ -315,10 +329,14 @@ string OSConfigurator_pix_os::_printSNMP()
str << "no snmp-server enable traps" << endl; str << "no snmp-server enable traps" << endl;
} }
string snmp_server_1= fw->getOptionsObject()->getStr("pix_snmp_server1"); string snmp_server_1 = fw->getOptionsObject()->getStr(
string snmp_server_2= fw->getOptionsObject()->getStr("pix_snmp_server2"); "pix_snmp_server1");
int snmp_poll_traps_1= fw->getOptionsObject()->getInt("pix_snmp_poll_traps_1"); string snmp_server_2 = fw->getOptionsObject()->getStr(
int snmp_poll_traps_2= fw->getOptionsObject()->getInt("pix_snmp_poll_traps_2"); "pix_snmp_server2");
int snmp_poll_traps_1 = fw->getOptionsObject()->getInt(
"pix_snmp_poll_traps_1");
int snmp_poll_traps_2 = fw->getOptionsObject()->getInt(
"pix_snmp_poll_traps_2");
if (!snmp_server_1.empty()) if (!snmp_server_1.empty())
str << _printSNMPServer(snmp_server_1,snmp_poll_traps_1); str << _printSNMPServer(snmp_server_1,snmp_poll_traps_1);
@ -334,9 +352,10 @@ string OSConfigurator_pix_os::_printNTPServer(const std::string &srv,bool pref)
Helper helper(this); Helper helper(this);
ostringstream str; ostringstream str;
InetAddr srv_addr(srv);
string iface_id=helper.findInterfaceByNetzone( InetAddr(srv) ); string iface_id=helper.findInterfaceByNetzone(&srv_addr);
if (iface_id.empty()) abort("NTP server "+srv+" does not belong to any known network zone"); if (iface_id.empty())
abort("NTP server "+srv+" does not belong to any known network zone");
Interface *ntp_iface = getCachedFwInterface(iface_id); Interface *ntp_iface = getCachedFwInterface(iface_id);
str << "ntp server " << srv << " source " << ntp_iface->getLabel(); str << "ntp server " << srv << " source " << ntp_iface->getLabel();
if (pref) str << " prefer"; if (pref) str << " prefer";
@ -460,7 +479,8 @@ string OSConfigurator_pix_os::_printSysopt()
return res.str(); return res.str();
} }
string OSConfigurator_pix_os::_printServiceTimeout(const std::string &pix_service) string OSConfigurator_pix_os::_printServiceTimeout(
const std::string &pix_service)
{ {
ostringstream res; ostringstream res;
string hh,mm,ss; string hh,mm,ss;

52
src/pix/PolicyCompiler_pix_writers.cpp
View File

@ -351,11 +351,6 @@ string PolicyCompiler_pix::PrintRule::_printDstService(libfwbuilder::Service *sr
string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o) string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o)
{ {
ostringstream str;
const InetAddr *srcaddr = o->getAddressPtr();
InetAddr srcmask = *(o->getNetmaskPtr());
if (Interface::cast(o)!=NULL) if (Interface::cast(o)!=NULL)
{ {
Interface *interface_=Interface::cast(o); Interface *interface_=Interface::cast(o);
@ -363,28 +358,43 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o)
{ {
return string("interface ") + interface_->getLabel() + " "; return string("interface ") + interface_->getLabel() + " ";
} }
srcmask = InetAddr(InetAddr::getAllOnes());
} }
if (IPv4::cast(o)!=NULL) ostringstream str;
srcmask = InetAddr(InetAddr::getAllOnes());
const InetAddr *srcaddr = o->getAddressPtr();
if (srcaddr->isAny() && srcmask.isAny()) if (srcaddr)
{ {
str << "any "; InetAddr srcmask = *(o->getNetmaskPtr());
} else {
if (srcmask.isHostMask()) if (Interface::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
if (IPv4::cast(o)!=NULL)
srcmask = InetAddr(InetAddr::getAllOnes());
if (srcaddr->isAny() && srcmask.isAny())
{ {
str << "host " << srcaddr->toString() << " "; str << "any ";
} else } else {
{ if (srcmask.isHostMask())
str << srcaddr->toString() << " "; {
str << srcmask.toString() << " "; str << "host " << srcaddr->toString() << " ";
} } else
{
str << srcaddr->toString() << " ";
str << srcmask.toString() << " ";
}
}
return str.str();
} else
{
compiler->abort(string("Object ") + o->getName() +
string(" (id=") + o->getId() + string(") ") +
string(" has no ip address and can not be used ") +
string("in the rule."));
} }
return str.str();
} }
bool PolicyCompiler_pix::PrintRule::suppressDuplicateICMPCommands(const string &cmd) bool PolicyCompiler_pix::PrintRule::suppressDuplicateICMPCommands(const string &cmd)

2
test/iosacl/do-diff
View File

@ -10,6 +10,6 @@ else
TOOL="diff -u -b -B" TOOL="diff -u -b -B"
fi fi
$TOOL firewall${N}.fw.orig firewall${N}.fw $TOOL ${N}.fw.orig ${N}.fw