Thread: [fwbuilder-commits] r1353 - in branches/v3_1_secunet: . doc src/cisco_lib src/compiler_lib src/iosa
Brought to you by:
mikehorn
Menu
▾
▴
fwbuilder-commits
|
From: <va...@in...> - 2009-08-27 05:05:40
|
Author: vadim
Date: 2009-08-26 22:03:34 -0700 (Wed, 26 Aug 2009)
New Revision: 1353
Modified:
branches/v3_1_secunet/build_num
branches/v3_1_secunet/doc/ChangeLog
branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.cpp
branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.h
branches/v3_1_secunet/src/cisco_lib/RoutingCompiler_cisco.h
branches/v3_1_secunet/src/compiler_lib/CompilerDriver.cpp
branches/v3_1_secunet/src/compiler_lib/CompilerDriver.h
branches/v3_1_secunet/src/compiler_lib/compiler_lib.pro
branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl.h
branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl_run.cpp
branches/v3_1_secunet/src/iosacl/OSConfigurator_ios.h
branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.cpp
branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.h
branches/v3_1_secunet/src/iosacl/RoutingCompiler_iosacl.h
branches/v3_1_secunet/src/ipf/CompilerDriver_ipf.h
branches/v3_1_secunet/src/ipf/CompilerDriver_ipf_run.cpp
branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw.h
branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw_run.cpp
branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.cpp
branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.h
branches/v3_1_secunet/src/ipt/CompilerDriver_ipt_run.cpp
branches/v3_1_secunet/src/ipt/MangleTableCompiler_ipt.h
branches/v3_1_secunet/src/ipt/NATCompiler_PrintRule.cpp
branches/v3_1_secunet/src/ipt/NATCompiler_ipt.cpp
branches/v3_1_secunet/src/ipt/NATCompiler_ipt.h
branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.cpp
branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.h
branches/v3_1_secunet/src/ipt/OSConfigurator_linux24.cpp
branches/v3_1_secunet/src/ipt/OSConfigurator_linux24.h
branches/v3_1_secunet/src/ipt/OSConfigurator_secuwall.cpp
branches/v3_1_secunet/src/ipt/OSConfigurator_secuwall.h
branches/v3_1_secunet/src/ipt/PolicyCompiler_PrintRule.cpp
branches/v3_1_secunet/src/ipt/PolicyCompiler_ipt.cpp
branches/v3_1_secunet/src/ipt/PolicyCompiler_ipt.h
branches/v3_1_secunet/src/ipt/PolicyCompiler_secuwall.cpp
branches/v3_1_secunet/src/ipt/PolicyCompiler_secuwall.h
branches/v3_1_secunet/src/ipt/RoutingCompiler_ipt.cpp
branches/v3_1_secunet/src/ipt/RoutingCompiler_ipt.h
branches/v3_1_secunet/src/pf/CompilerDriver_pf.h
branches/v3_1_secunet/src/pf/CompilerDriver_pf_run.cpp
branches/v3_1_secunet/src/pflib/NATCompiler_ipf.h
branches/v3_1_secunet/src/pflib/NATCompiler_ipfw.h
branches/v3_1_secunet/src/pflib/NATCompiler_pf.h
branches/v3_1_secunet/src/pflib/OSConfigurator_bsd.h
branches/v3_1_secunet/src/pflib/OSConfigurator_freebsd.h
branches/v3_1_secunet/src/pflib/OSConfigurator_macosx.h
branches/v3_1_secunet/src/pflib/OSConfigurator_openbsd.h
branches/v3_1_secunet/src/pflib/OSConfigurator_solaris.h
branches/v3_1_secunet/src/pflib/PolicyCompiler_ipf.h
branches/v3_1_secunet/src/pflib/PolicyCompiler_ipfw.h
branches/v3_1_secunet/src/pflib/PolicyCompiler_pf.h
branches/v3_1_secunet/src/pflib/Preprocessor_pf.h
branches/v3_1_secunet/src/pix/CompilerDriver_pix.cpp
branches/v3_1_secunet/src/pix/CompilerDriver_pix.h
branches/v3_1_secunet/src/pix/CompilerDriver_pix_run.cpp
branches/v3_1_secunet/src/pix/NATCompiler_pix.cpp
branches/v3_1_secunet/src/pix/NATCompiler_pix.h
branches/v3_1_secunet/src/pix/OSConfigurator_pix_os.h
branches/v3_1_secunet/src/pix/PolicyCompiler_pix.cpp
branches/v3_1_secunet/src/pix/PolicyCompiler_pix.h
branches/v3_1_secunet/src/pix/RoutingCompiler_pix.h
Log:
2009-08-26 vadim <va...@vk...>
* CompilerDriver.cpp (CompilerDriver::populateClusterElements):
moved this method from class Compiler. fixes #367
* CompilerDriver_compile.cpp (compileSingleRule): entry point for
single rule compile. Takes one argument - rule ID and returns a
QMap<QString,QString> where key is firewall name and value is
generated script for this rule. Currently using this entry point
in the command line compilers via cli argument -s rule_id. Fully
implemented in fwb_ipt. Fixes #358, #206
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): using
std::auto_ptr to protect OSConfigurator, PolicyCompiler and
NATCompiler objects and to properly delete them to avoid memory
leaks in fwb_ipt. fixes #371
Modified: branches/v3_1_secunet/build_num
===================================================================
--- branches/v3_1_secunet/build_num 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/build_num 2009-08-27 05:03:34 UTC (rev 1353)
@@ -1 +1 @@
-#define BUILD_NUM 1351
+#define BUILD_NUM 1352
Modified: branches/v3_1_secunet/doc/ChangeLog
===================================================================
--- branches/v3_1_secunet/doc/ChangeLog 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/doc/ChangeLog 2009-08-27 05:03:34 UTC (rev 1353)
@@ -1,3 +1,20 @@
+2009-08-26 vadim <va...@vk...>
+
+ * CompilerDriver.cpp (CompilerDriver::populateClusterElements):
+ moved this method from class Compiler. fixes #367
+
+ * CompilerDriver_compile.cpp (compileSingleRule): entry point for
+ single rule compile. Takes one argument - rule ID and returns a
+ QMap<QString,QString> where key is firewall name and value is
+ generated script for this rule. Currently using this entry point
+ in the command line compilers via cli argument -s rule_id. Fully
+ implemented in fwb_ipt. Fixes #358, #206
+
+ * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): using
+ std::auto_ptr to protect OSConfigurator, PolicyCompiler and
+ NATCompiler objects and to properly delete them to avoid memory
+ leaks in fwb_ipt. fixes #371
+
2009-08-24 vadim <va...@vk...>
* CompilerDriver.cpp (CompilerDriver::commonChecks2): refactored
Modified: branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.cpp
===================================================================
--- branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -61,10 +61,10 @@
string PolicyCompiler_cisco::myPlatformName() { return ""; }
PolicyCompiler_cisco::PolicyCompiler_cisco(FWObjectDatabase *_db,
- const std::string &fwname,
+ Firewall *fw,
bool ipv6_policy,
OSConfigurator *_oscnf) :
- PolicyCompiler(_db, fwname, ipv6_policy, _oscnf) , helper(this)
+ PolicyCompiler(_db, fw, ipv6_policy, _oscnf) , helper(this)
{
}
Modified: branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.h
===================================================================
--- branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -434,7 +434,7 @@
public:
PolicyCompiler_cisco(libfwbuilder::FWObjectDatabase *_db,
- const std::string &fwname,
+ libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf);
virtual ~PolicyCompiler_cisco() {}
Modified: branches/v3_1_secunet/src/cisco_lib/RoutingCompiler_cisco.h
===================================================================
--- branches/v3_1_secunet/src/cisco_lib/RoutingCompiler_cisco.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/cisco_lib/RoutingCompiler_cisco.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -114,9 +114,9 @@
RoutingCompiler_cisco::PrintRule *printRule;
RoutingCompiler_cisco(libfwbuilder::FWObjectDatabase *_db,
- const std::string &fwname, bool ipv6_policy,
+ libfwbuilder::Firewall *fw, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
- RoutingCompiler(_db, fwname, ipv6_policy, _oscnf) {}
+ RoutingCompiler(_db, fw, ipv6_policy, _oscnf) {}
virtual int prolog();
virtual void compile();
Modified: branches/v3_1_secunet/src/compiler_lib/CompilerDriver.cpp
===================================================================
--- branches/v3_1_secunet/src/compiler_lib/CompilerDriver.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/compiler_lib/CompilerDriver.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -53,7 +53,9 @@
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/Rule.h"
-#include "fwbuilder/RuleSet.h"
+#include "fwbuilder/Policy.h"
+#include "fwbuilder/NAT.h"
+#include "fwbuilder/Routing.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
@@ -78,6 +80,7 @@
dl = 0;
drp = -1;
rule_debug_on = false;
+ single_rule_compile_on = false;
drn = -1;
verbose = 0;
have_dynamic_interfaces = false;
@@ -101,68 +104,6 @@
return new CompilerDriver(objdb);
}
-bool CompilerDriver::prepare(const QStringList &_args)
-{
- args = _args;
-
- if (!configure(args)) return false;
-
- Firewall *fw = locateObject();
-
- if (fw == NULL)
- {
- cerr << "Firewall or cluster object not found" << endl;
- return false;
- }
- return true;
-}
-
-void CompilerDriver::compile()
-{
- Firewall *fw = locateObject();
- if (Cluster::isA(fw))
- {
- commonChecks(fw);
- // compiling cluster.
- list<Firewall*> members;
- Cluster::cast(fw)->getMembersList(members);
- for (list<Firewall*>::iterator it=members.begin(); it!=members.end(); ++it)
- {
- cout << endl;
- cout << " Firewall " << (*it)->getName()
- << " member of cluster " << fw->getName()
- << endl;
-
- CompilerDriver *cl_driver = clone();
- cl_driver->configure(args);
- cl_driver->chDir();
- cl_driver->run(objdb->getStringId(fw->getId()),
- objdb->getStringId((*it)->getId()));
- delete cl_driver;
- }
- }
- else
- {
- chDir();
- commonChecks(fw);
- run("", objdb->getStringId(fw->getId()));
- }
-}
-
-/*
- * Compile single rule and return generated code. Rule is defined by
- * its ID, this is sufficient to locate the rule, ruleset and firewall
- * objects. If ruleset belongs to a cluster, compile all members and
- * return code generated for all of them. Returned code is placed in
- * QMap where the key is member firewall name and value is generated
- * script. If the rule belongs to a firewall rather than a cluster,
- * returned QMap contains one item.
- */
-QMap<QString,QString> CompilerDriver::compileSingleRule(const std::string &rule_id)
-{
-
-}
-
bool CompilerDriver::configure(const QStringList &args)
{
QString last_arg;
@@ -264,6 +205,14 @@
rule_debug_on = true;
continue;
}
+
+ if (arg == "-s")
+ {
+ idx++;
+ single_rule_id = args.at(idx).toStdString();
+ single_rule_compile_on = true;
+ continue;
+ }
}
fwobjectname = last_arg;
@@ -289,9 +238,6 @@
void CompilerDriver::commonChecks(Firewall *fw)
{
- // Temporary compiler object, need it to copy rules and process errors
- Compiler *compiler = new Compiler(objdb, fw->getName(), false);
-
if (Cluster::isA(fw))
{
Cluster *cluster = Cluster::cast(fw);
@@ -311,7 +257,7 @@
string err =
string("Member firewalls use the same output file name ") +
ofname;
- compiler->abort(err);
+ throw FWException(err);
}
output_file_names.insert(ofname);
}
@@ -323,9 +269,6 @@
QString current_firewall_name = fw->getName().c_str();
string host_os = fw->getStr("host_OS");
- // Temporary compiler object, need it to copy rules and process errors
- Compiler *compiler = new Compiler(objdb, fw->getName(), false);
-
if (cluster)
{
// firewall is a member of a cluster.
@@ -334,16 +277,10 @@
processStateSyncGroups(cluster, fw);
- // Copy rules from the cluster object
- // Need temporary compiler object for this.
- compiler->populateClusterElements(cluster, fw);
-
// some initial sanity checks
validateClusterGroups(cluster);
}
- delete compiler;
-
list<FWObject*> interfaces = fw->getByTypeDeep(Interface::TYPENAME);
for (list<FWObject*>::iterator i=interfaces.begin(); i!=interfaces.end(); ++i)
{
@@ -561,15 +498,13 @@
imported_policies.begin(), imported_policies.end());
}
-void CompilerDriver::run(const std::string&, const std::string&)
+string CompilerDriver::run(const std::string&, const std::string&, const std::string&)
{
+ return "";
}
void CompilerDriver::validateClusterGroups(Cluster *cluster)
{
- // Temporary compiler object, need it to process errors
- Compiler *compiler = new Compiler(objdb, cluster->getName(), false);
-
string host_os = cluster->getStr("host_OS");
Resources* os_res = Resources::os_res[host_os];
if (os_res==NULL) return;
@@ -586,7 +521,7 @@
if (!isSupported(&state_sync_protocols, state_sync_type))
{
QString err("State sync group type %1 is not supported");
- compiler->abort(err.arg(state_sync_type.c_str()).toStdString());
+ throw FWException(err.arg(state_sync_type.c_str()).toStdString());
}
}
@@ -602,11 +537,9 @@
if (!isSupported(&failover_protocols, failover_type))
{
QString err("Failover group type %1 is not supported");
- compiler->abort(err.arg(failover_type.c_str()).toStdString());
+ throw FWException(err.arg(failover_type.c_str()).toStdString());
}
}
-
- delete compiler;
}
bool CompilerDriver::isSupported(list<string> *protocols, const string &cluster_group_type)
@@ -665,4 +598,317 @@
return str.join("\n");
}
+/*
+ * 1. Iterate over all fw interfaces and check if they are referenced in a
+ * ClusterGroup.
+ * -> if yes then make copy of vrrp interface and set BASEDEV accordingly
+ * 2. clear Policy, NAT & Routing rules of the firewall, then copy cluster
+ * policy, NAT and routing rules.
+ */
+int CompilerDriver::populateClusterElements(Cluster *cluster, Firewall *fw)
+{
+ if (cluster==NULL) return 0;
+ int addedPolicies = 0;
+ set<string> state_sync_types;
+
+ checkCluster(cluster);
+
+ for (FWObjectTypedChildIterator it = cluster->findByType(StateSyncClusterGroup::TYPENAME);
+ it != it.end(); ++it)
+ {
+ StateSyncClusterGroup *state_sync_group = StateSyncClusterGroup::cast(*it);
+ /* For the state syncing cluster group, hierarchy looks like this:
+ * Cluster->StateSyncClusterGroup->ObjectRef
+ */
+ string grp_type = state_sync_group->getStr("type");
+ if (state_sync_types.count(grp_type) > 0)
+ throw FWException("Several state synchronization groups of the same type in one cluster object.");
+
+ state_sync_types.insert(grp_type);
+
+ for (FWObjectTypedChildIterator it =
+ state_sync_group->findByType(FWObjectReference::TYPENAME);
+ it != it.end(); ++it)
+ {
+ Interface *iface = Interface::cast(FWObjectReference::getObject(*it));
+ assert(iface);
+ //processStateSyncGroup(cluster, fw, state_sync_group, iface);
+
+ iface->getOptionsObject()->setBool("state_sync_group_member", true);
+ iface->getOptionsObject()->setStr(
+ "state_sync_group_id",
+ FWObjectDatabase::getStringId(state_sync_group->getId()));
+ string master_id = state_sync_group->getStr("master_iface");
+ string iface_str_id = FWObjectDatabase::getStringId(iface->getId());
+ iface->getOptionsObject()->setBool("state_sync_master",
+ master_id == iface_str_id);
+ fw->getOptionsObject()->setBool("cluster_member", true);
+ }
+ }
+
+ /* For VRRP references the hierarchy is as follows:
+ * Cluster->Interface->FailoverClusterGroup->ObjectRef
+ */
+ FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME);
+ for (; cl_iface != cl_iface.end(); ++cl_iface)
+ {
+ FailoverClusterGroup *failover_group =
+ FailoverClusterGroup::cast(
+ (*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME));
+ if (failover_group)
+ {
+ for (FWObjectTypedChildIterator it =
+ failover_group->findByType(FWObjectReference::TYPENAME);
+ it != it.end(); ++it)
+ {
+ Interface *iface = Interface::cast(FWObjectReference::getObject(*it));
+ assert(iface);
+ // We need to do some sanity checks of cluster
+ // interfaces for VRRP and then add them to the
+ // firewall object.
+ // These actions are very generic and have nothing specific
+ // to VRRP. Unless new protocol is added that requires
+ // something radically different, will always call this method
+ // for failover groups.
+ //if (failover_group->getStr("type") == "vrrp")
+ if (iface->isChildOf(fw))
+ copyFailoverInterface(cluster, fw, failover_group, iface);
+ }
+ } else
+ {
+ // cluster interface without failover group
+ // is this a loopback interface ?
+ Interface *cluster_interface = Interface::cast(*cl_iface);
+ if (cluster_interface->isLoopback())
+ {
+ /* Add copy of the interface from the cluster to the
+ * firewall object so that when it is encountered in
+ * the "intrface" rule element of its rules, it
+ * belongs to the firewall and is therefore valid.
+ */
+ Interface* new_cl_if = Interface::cast(fw->addCopyOf(cluster_interface, true));
+ assert(new_cl_if != NULL);
+ new_cl_if->getOptionsObject()->setBool("cluster_interface", true);
+ }
+ }
+ }
+
+ int fw_direct_rules_count = fw->getPolicy()->size() +
+ fw->getNAT()->size() + fw->getRouting()->size();
+
+ if (fw_direct_rules_count > 0)
+ {
+ cout << "Warning: ignoring firewall policy (" << fw->getName();
+ cout << ") since firewall is a cluster member." << endl;
+ }
+
+ fw->getPolicy()->clear();
+ fw->getNAT()->clear();
+ fw->getRouting()->clear();
+
+// Copy PolicyRules from the cluster.
+ /* Policy rules */
+ Policy* cluster_policy = cluster->getPolicy();
+ Policy* fw_policy = fw->getPolicy();
+ if (cluster_policy)
+ {
+ cluster_policy->setName("Cluster-Policy");
+ for(int i = 0; i < cluster_policy->getRuleSetSize(); i++)
+ {
+ /* Add rule to firewall policy. New rule in the fw rule set
+ * has the same ID.
+ */
+ PolicyRule* rule = PolicyRule::cast(cluster_policy->getRuleByNum(i));
+ PolicyRule::cast(fw_policy->addCopyOf(rule, false));
+ addedPolicies++;
+ }
+ }
+
+ /* NAT rules */
+ NAT* cluster_nat = cluster->getNAT();
+ NAT* fw_nat = fw->getNAT();
+ if (cluster_nat)
+ {
+ cluster_nat->setName("Cluster-NAT");
+ for (int i = 0; i < cluster_nat->getRuleSetSize(); i++)
+ {
+ /* Add rule to firewall policy */
+ NATRule* rule = NATRule::cast(cluster_nat->getRuleByNum(i));
+ NATRule::cast(fw_nat->addCopyOf(rule, false));
+ addedPolicies++;
+ }
+ }
+
+ /* Routing rules */
+ Routing* cluster_routes = cluster->getRouting();
+ Routing* fw_routes = fw->getRouting();
+ if (cluster_routes)
+ {
+ cluster_routes->setName("Cluster-Routing");
+ for(int i = 0; i < cluster_routes->getRuleSetSize(); i++)
+ {
+ /* Add rule to firewall policy */
+ RoutingRule* rule = RoutingRule::cast(cluster_routes->getRuleByNum(i));
+ RoutingRule::cast(fw_routes->addCopyOf(rule, false));
+ addedPolicies++;
+ }
+ }
+
+ // finally need to remember cluster object ID so that compiler can later
+ // associate it in rules with the firewall.
+ //
+ // The alternative is to find all references to the cluster object
+ // in rules and replace them with refs to the firewall. That could
+ // be done either in prolog or in a special rule processor. It is
+ // _much_ cheaper to just remember cluster ID though.
+ fw->setInt("parent_cluster_id", cluster->getId());
+
+ return addedPolicies;
+}
+
+/*
+ * Perform checks for fialover interfaces and their addresses, add a
+ * copy of failover interface form the cluster to the firewall object.
+ *
+ * This method assumes the following:
+ *
+ * - Failover interface owns its ip address which is different from
+ * addresses of either firewall
+ *
+ * - address of the failover interface must be on the same subnet as
+ * addresses of the firewalls (perhaps this restriction can be
+ * lifted? Was originally implemented by Secunet folks like this)
+ */
+void CompilerDriver::copyFailoverInterface(Cluster *cluster,
+ Firewall *fw,
+ FailoverClusterGroup *cluster_group,
+ Interface *iface)
+{
+ Interface* cluster_if = Interface::cast(cluster_group->getParent());
+ assert(cluster_if != NULL);
+ string cluster_if_name = cluster_if->getName();
+
+ /* Check that VRRP interface and fw interface are in same subnet.
+ * Exception: if interface is dynamic and does not have an ip address in
+ * fwbuilder configuration, assume it is ok.
+ */
+ if (iface->isRegular())
+ {
+ const Address *iface_addr = iface->getAddressObject();
+ // even regular interface may have no address if user forgot
+ // to add one, so check if iface_addr == NULL
+ // Also check if cluster interface has ip address, it does not
+ // always need one.
+
+ if (iface_addr && cluster_if->getAddressObject() &&
+ !isReachable(cluster_if->getAddressObject(), iface_addr->getAddressPtr())
+ )
+ {
+ cerr << " Warning: "
+ << cluster_if_name
+ << " and "
+ << iface->getName()
+ << " are not in the same subnet." << endl;
+ }
+ }
+
+ assert(fw->getOptionsObject() != NULL);
+
+ iface->getOptionsObject()->setStr(
+ "failover_group_id", FWObjectDatabase::getStringId(cluster_group->getId()));
+
+ /* Add copy of the cluster interface to the firewall object
+ *
+ * While adding a copy of cluster interface to the firewall, make
+ * sure it has new unique ID instead of a copy of the ID of the
+ * cluster's interface object. If the ID is the same,
+ * RuleElementItf::validateChild() finds clusters' interface which
+ * is not a child of the firewall object and therefore is
+ * rejected.
+ */
+ Interface* new_cl_if = Interface::cast(fw->addCopyOf(cluster_if, true));
+ assert(new_cl_if != NULL);
+ new_cl_if->getOptionsObject()->setBool("cluster_interface", true);
+ new_cl_if->getOptionsObject()->setStr("base_device", iface->getName());
+ new_cl_if->getOptionsObject()->setStr(
+ "base_interface_id", FWObjectDatabase::getStringId(iface->getId()));
+
+ /* Set master property if interface is referenced
+ * as master_iface
+ */
+ string master_id = cluster_group->getStr("master_iface");
+ string iface_str_id = FWObjectDatabase::getStringId(iface->getId());
+
+ new_cl_if->getOptionsObject()->setBool("failover_master",
+ master_id == iface_str_id);
+
+ fw->getOptionsObject()->setBool("cluster_member", true);
+
+ /* Add copy of firewall's real interface to the cluster to make sure
+ * compiler recognizes it when it encounters cluster object in rules.
+ * This fixes #15 (makes compiler choose correct chains)
+ */
+ cluster->addCopyOf(iface, true);
+}
+
+/*
+ * Verify that there is at least one Cluster interface and that all
+ * have unique names and IP addresses.
+ */
+int CompilerDriver::checkCluster(Cluster* cluster)
+{
+ assert(cluster != NULL);
+ FWObjectTypedChildIterator cluster_ifaces = cluster->findByType(Interface::TYPENAME);
+ if (cluster_ifaces == cluster_ifaces.end())
+ {
+ /* No configured cluster interface present */
+ ostringstream str;
+ str << "The cluster has no interfaces." << endl;
+ throw FWException(str.str());
+ }
+
+ for (; cluster_ifaces != cluster_ifaces.end(); ++cluster_ifaces)
+ {
+ string iface_name = Interface::cast(*cluster_ifaces)->getName();
+ const InetAddr* iface_address = Interface::cast(*cluster_ifaces)->getAddressPtr();
+ if (iface_address==NULL) continue; // cluster interface with no address
+ FWObjectTypedChildIterator other_ifaces = cluster_ifaces;
+ for (++other_ifaces; other_ifaces != cluster_ifaces.end(); ++other_ifaces)
+ {
+ if (iface_name == Interface::cast(*other_ifaces)->getName())
+ {
+ ostringstream str;
+ str << "Found duplicate cluster interface name " << iface_name << "." << endl;
+ throw FWException(str.str());
+ }
+ const InetAddr *other_iface_address = Interface::cast(*other_ifaces)->getAddressPtr();
+ if (other_iface_address==NULL) continue; // cluster interface with no address
+ if (*iface_address == *other_iface_address)
+ {
+ ostringstream str;
+ str << "Found duplicate cluster interface address ";
+ str << iface_address->toString() << "." << endl;
+ throw FWException(str.str());
+ }
+ }
+ }
+
+ return 0;
+}
+
+bool CompilerDriver::isReachable(const Address* const client,
+ const InetAddr* const server)
+{
+ const InetAddr *addr = client->getAddressPtr();
+ const InetAddr *netm = client->getNetmaskPtr();
+ if (addr)
+ {
+ InetAddrMask fw_net(*addr, *netm);
+ if (fw_net.belongs(*server))
+ return true;
+ }
+ return false;
+}
+
+
Modified: branches/v3_1_secunet/src/compiler_lib/CompilerDriver.h
===================================================================
--- branches/v3_1_secunet/src/compiler_lib/CompilerDriver.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/compiler_lib/CompilerDriver.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -40,6 +40,7 @@
class FWObjectDatabase;
class Cluster;
class ClusterGroup;
+ class FailoverClusterGroup;
class Firewall;
class RuleSet;
class Interface;
@@ -67,6 +68,8 @@
int dl;
int drp;
bool rule_debug_on;
+ bool single_rule_compile_on;
+ std::string single_rule_id;
int drn;
int verbose;
bool have_dynamic_interfaces;
@@ -87,6 +90,12 @@
bool isSupported(std::list<std::string> *protocols,
const std::string &cluster_group_type);
+ virtual int checkCluster(libfwbuilder::Cluster* cluster);
+
+ // checks if address @addr belongs to the subnet defined by @subnet
+ static bool isReachable(const libfwbuilder::Address* const subnet,
+ const libfwbuilder::InetAddr* const addr);
+
public:
CompilerDriver(libfwbuilder::FWObjectDatabase *db);
@@ -94,14 +103,40 @@
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
-
+
+ /**
+ * Process command line arguments
+ */
virtual bool configure(const QStringList &args);
- virtual void run(const std::string &cluster_id, const std::string &firewall_id);
+ /**
+ * create right compiler objects and compile policy, nat and
+ * routing rules for given firewall which can be a member of a
+ * cluster. If firewall is standalone, @cluster_id is an empty
+ * string. Cluster and firewall are defined by their string IDs.
+ * In single compile mode rule ID is provided in @single_rule_id
+ * and generated script is returned. For compilers that create
+ * several files it is up to the actual cmopiler class to decide
+ * what should be returned in the single rule compile mode. In
+ * normal (not single rule) compile mode returned string is
+ * undefined and should not be used.
+ */
+ virtual std::string run(const std::string &cluster_id,
+ const std::string &firewall_id,
+ const std::string &single_rule_id);
+
virtual void commonChecks(libfwbuilder::Firewall *fw);
virtual void commonChecks2(libfwbuilder::Cluster *cluster,
libfwbuilder::Firewall *fw);
+ void copyFailoverInterface(libfwbuilder::Cluster *cluster,
+ libfwbuilder::Firewall *fw,
+ libfwbuilder::FailoverClusterGroup *cluster_group,
+ libfwbuilder::Interface *iface);
+
+ virtual int populateClusterElements(libfwbuilder::Cluster *cluster,
+ libfwbuilder::Firewall *fw);
+
virtual void processStateSyncGroups(libfwbuilder::Cluster*,
libfwbuilder::Firewall*) {};
Modified: branches/v3_1_secunet/src/compiler_lib/compiler_lib.pro
===================================================================
--- branches/v3_1_secunet/src/compiler_lib/compiler_lib.pro 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/compiler_lib/compiler_lib.pro 2009-08-27 05:03:34 UTC (rev 1353)
@@ -8,6 +8,7 @@
TEMPLATE = lib
SOURCES = CompilerDriver.cpp \
+ CompilerDriver_compile.cpp \
Configlet.cpp \
linux24Interfaces.cpp \
interfacePropertiesObjectFactory.cpp
Modified: branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl.h
===================================================================
--- branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -58,11 +58,9 @@
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
- /*
- * Kitchen sink method that copies steps previously implemented in main()
- */
- virtual void run(const std::string &cluster_id,
- const std::string &firewall_id);
+ virtual std::string run(const std::string &cluster_id,
+ const std::string &firewall_id,
+ const std::string &single_rule_id);
};
Modified: branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl_run.cpp
===================================================================
--- branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl_run.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl_run.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -84,8 +84,9 @@
using namespace libfwbuilder;
using namespace fwcompiler;
-void CompilerDriver_iosacl::run(const std::string &cluster_id,
- const std::string &firewall_id)
+string CompilerDriver_iosacl::run(const std::string &cluster_id,
+ const std::string &firewall_id,
+ const std::string &single_rule_id)
{
if (test_mode)
cout << "*** Running in test mode, all errors are ignored" << endl << endl;
@@ -99,6 +100,9 @@
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
+ // Copy rules from the cluster object
+ populateClusterElements(cluster, fw);
+
commonChecks2(cluster, fw);
// Note that fwobjectname may be different from the name of the
@@ -199,8 +203,7 @@
- OSConfigurator *oscnf = new OSConfigurator_ios(
- objdb, current_firewall_name.toUtf8().constData(), false);
+ OSConfigurator *oscnf = new OSConfigurator_ios(objdb, fw, false);
oscnf->prolog();
oscnf->processFirewallOptions();
@@ -254,8 +257,7 @@
}
if (policy_count)
{
- Preprocessor* prep = new Preprocessor(
- objdb, current_firewall_name.toUtf8().constData(), false);
+ Preprocessor* prep = new Preprocessor(objdb, fw, false);
prep->compile();
}
@@ -266,12 +268,10 @@
if (!policy->matchingAddressFamily(policy_af)) continue;
- PolicyCompiler_iosacl c(
- objdb, current_firewall_name.toUtf8().constData(),
- ipv6_policy, oscnf);
+ PolicyCompiler_iosacl c(objdb, fw, ipv6_policy, oscnf);
c.setSourceRuleSet( policy );
-
+ c.setSingleRuleCompileMode(single_rule_id);
if (test_mode) c.setTestMode();
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
@@ -311,8 +311,9 @@
{
// currently routing is supported only for ipv4
RoutingCompiler_iosacl r(
- objdb, current_firewall_name.toUtf8().constData(), false, oscnf);
+ objdb, fw, false, oscnf);
+ r.setSingleRuleCompileMode(single_rule_id);
if (test_mode) r.setTestMode();
r.setDebugLevel( dl );
if (rule_debug_on) r.setDebugRule( drp );
@@ -414,9 +415,8 @@
" for writing");
}
- cout << " Compiled successfully" << endl << flush;
-
delete oscnf;
+ return "";
}
Modified: branches/v3_1_secunet/src/iosacl/OSConfigurator_ios.h
===================================================================
--- branches/v3_1_secunet/src/iosacl/OSConfigurator_ios.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/iosacl/OSConfigurator_ios.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -45,9 +45,9 @@
virtual ~OSConfigurator_ios() {};
OSConfigurator_ios(libfwbuilder::FWObjectDatabase *_db,
- const std::string &fwname,
+ libfwbuilder::Firewall *fw,
bool ipv6_policy) :
- OSConfigurator(_db, fwname, ipv6_policy) {}
+ OSConfigurator(_db, fw, ipv6_policy) {}
virtual int prolog();
Modified: branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.cpp
===================================================================
--- branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -61,10 +61,10 @@
string PolicyCompiler_iosacl::myPlatformName() { return "iosacl"; }
PolicyCompiler_iosacl::PolicyCompiler_iosacl(FWObjectDatabase *_db,
- const std::string &fwname,
+ Firewall *fw,
bool ipv6_policy,
OSConfigurator *_oscnf) :
- PolicyCompiler_cisco(_db, fwname, ipv6_policy, _oscnf)
+ PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf)
{
resetinbound=false;
fragguard=false;
Modified: branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.h
===================================================================
--- branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -252,7 +252,7 @@
public:
PolicyCompiler_iosacl(libfwbuilder::FWObjectDatabase *_db,
- const std::string &fwname,
+ libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf);
virtual ~PolicyCompiler_iosacl() {}
Modified: branches/v3_1_secunet/src/iosacl/RoutingCompiler_iosacl.h
===================================================================
--- branches/v3_1_secunet/src/iosacl/RoutingCompiler_iosacl.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/iosacl/RoutingCompiler_iosacl.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -73,9 +73,9 @@
public:
RoutingCompiler_iosacl(libfwbuilder::FWObjectDatabase *_db,
- const std::string &fwname, bool ipv6_policy,
+ libfwbuilder::Firewall *fw, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
- RoutingCompiler_cisco(_db, fwname, ipv6_policy, _oscnf) {};
+ RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {};
virtual int prolog();
virtual void compile();
Modified: branches/v3_1_secunet/src/ipf/CompilerDriver_ipf.h
===================================================================
--- branches/v3_1_secunet/src/ipf/CompilerDriver_ipf.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipf/CompilerDriver_ipf.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -60,11 +60,9 @@
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
- /*
- * Kitchen sink method that copies steps previously implemented in main()
- */
- virtual void run(const std::string &cluster_id,
- const std::string &firewall_id);
+ virtual std::string run(const std::string &cluster_id,
+ const std::string &firewall_id,
+ const std::string &single_rule_id);
};
Modified: branches/v3_1_secunet/src/ipf/CompilerDriver_ipf_run.cpp
===================================================================
--- branches/v3_1_secunet/src/ipf/CompilerDriver_ipf_run.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipf/CompilerDriver_ipf_run.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -87,8 +87,9 @@
using namespace libfwbuilder;
using namespace fwcompiler;
-void CompilerDriver_ipf::run(const std::string &cluster_id,
- const std::string &firewall_id)
+string CompilerDriver_ipf::run(const std::string &cluster_id,
+ const std::string &firewall_id,
+ const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
@@ -99,6 +100,9 @@
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
+ // Copy rules from the cluster object
+ populateClusterElements(cluster, fw);
+
commonChecks2(cluster, fw);
FWOptions* options = fw->getOptionsObject();
@@ -133,7 +137,7 @@
QString shell_dbg = (debug)?"-x":"" ;
QString ipf_dbg = (debug)?"-v":"";
- Preprocessor* prep = new Preprocessor(objdb , current_firewall_name.toUtf8().constData(), false);
+ Preprocessor* prep = new Preprocessor(objdb , fw, false);
prep->compile();
/*
@@ -142,13 +146,13 @@
OSConfigurator *oscnf=NULL;
string family=Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceStr("/FWBuilderResources/Target/family");
if ( family=="solaris" )
- oscnf=new OSConfigurator_solaris(objdb , current_firewall_name.toUtf8().constData(), false);
+ oscnf=new OSConfigurator_solaris(objdb , fw, false);
if ( family=="openbsd")
- oscnf=new OSConfigurator_openbsd(objdb , current_firewall_name.toUtf8().constData(), false);
+ oscnf=new OSConfigurator_openbsd(objdb , fw, false);
if ( family=="freebsd")
- oscnf=new OSConfigurator_freebsd(objdb , current_firewall_name.toUtf8().constData(), false);
+ oscnf=new OSConfigurator_freebsd(objdb , fw, false);
if (oscnf==NULL)
throw FWException("Unrecognized host OS " +
@@ -159,8 +163,9 @@
/*
* create compilers and run the whole thing
*/
- PolicyCompiler_ipf c( objdb , current_firewall_name.toUtf8().constData(), false , oscnf );
+ PolicyCompiler_ipf c( objdb , fw, false , oscnf );
+ c.setSingleRuleCompileMode(single_rule_id);
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
c.setVerbose( verbose );
@@ -173,8 +178,9 @@
c.epilog();
}
- NATCompiler_ipf n( objdb , current_firewall_name.toUtf8().constData(), false , oscnf );
+ NATCompiler_ipf n( objdb , fw, false , oscnf );
+ n.setSingleRuleCompileMode(single_rule_id);
n.setDebugLevel( dl );
if (rule_debug_on) n.setDebugRule( drn );
n.setVerbose( verbose );
@@ -424,7 +430,7 @@
" for writing");
}
- cout << " Compiled successfully" << endl << flush;
+ return "";
}
Modified: branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw.h
===================================================================
--- branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -55,11 +55,9 @@
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
- /*
- * Kitchen sink method that copies steps previously implemented in main()
- */
- virtual void run(const std::string &cluster_id,
- const std::string &firewall_id);
+ virtual std::string run(const std::string &cluster_id,
+ const std::string &firewall_id,
+ const std::string &single_rule_id);
};
Modified: branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw_run.cpp
===================================================================
--- branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw_run.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw_run.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -83,8 +83,9 @@
using namespace libfwbuilder;
using namespace fwcompiler;
-void CompilerDriver_ipfw::run(const std::string &cluster_id,
- const std::string &firewall_id)
+string CompilerDriver_ipfw::run(const std::string &cluster_id,
+ const std::string &firewall_id,
+ const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
@@ -95,6 +96,9 @@
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
+ // Copy rules from the cluster object
+ populateClusterElements(cluster, fw);
+
commonChecks2(cluster, fw);
FWOptions* options = fw->getOptionsObject();
@@ -119,10 +123,10 @@
OSConfigurator *oscnf=NULL;
string family=Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceStr("/FWBuilderResources/Target/family");
if ( family=="macosx")
- oscnf=new OSConfigurator_macosx(objdb , current_firewall_name.toUtf8().constData(), false);
+ oscnf=new OSConfigurator_macosx(objdb , fw, false);
if ( family=="freebsd")
- oscnf=new OSConfigurator_freebsd(objdb , current_firewall_name.toUtf8().constData(), false);
+ oscnf=new OSConfigurator_freebsd(objdb , fw, false);
if (oscnf==NULL)
throw FWException(_("Unrecognized host OS ")+fw->getStr("host_OS")+" (family "+family+")");
@@ -182,7 +186,7 @@
if (policy_count)
{
Preprocessor* prep = new Preprocessor(
- objdb , current_firewall_name.toUtf8().constData(), ipv6_policy);
+ objdb , fw, ipv6_policy);
if (test_mode) prep->setTestMode();
prep->compile();
}
@@ -198,10 +202,11 @@
if (!policy->matchingAddressFamily(policy_af)) continue;
- PolicyCompiler_ipfw c(objdb, current_firewall_name.toUtf8().constData(), ipv6_policy, oscnf);
+ PolicyCompiler_ipfw c(objdb, fw, ipv6_policy, oscnf);
c.setIPFWNumber(ipfw_rule_number);
c.setSourceRuleSet( policy );
c.setRuleSetName(branch_name);
+ c.setSingleRuleCompileMode(single_rule_id);
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
c.setVerbose( (bool)(verbose) );
@@ -254,7 +259,7 @@
/*
* create compilers and run the whole thing
*/
- PolicyCompiler_ipfw c( objdb , current_firewall_name.toUtf8().constData(), false , oscnf );
+ PolicyCompiler_ipfw c( objdb , fw, false , oscnf );
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
@@ -379,7 +384,7 @@
script << c.getCompiledScript();
}
#else
- PolicyCompiler_ipfw c(objdb, current_firewall_name.toUtf8().constData(), false, oscnf);
+ PolicyCompiler_ipfw c(objdb, fw, false, oscnf);
script << c.defaultRules();
script << generated_script;
#endif
@@ -420,5 +425,6 @@
fw_file_name.toStdString() +
" for writing");
}
+ return "";
}
Modified: branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.cpp
===================================================================
--- branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -35,6 +35,7 @@
#include <assert.h>
#include <cstring>
#include <iomanip>
+#include <memory>
#include "CompilerDriver_ipt.h"
@@ -127,6 +128,10 @@
}
}
+/*
+ * TODO: use configlet to define structure of generated script. Need
+ * 2 configlets: for the shell script format and iptables-restore format
+ */
string CompilerDriver_ipt::dumpScript(Firewall *fw,
const string& reset_script,
const string& nat_script,
@@ -140,7 +145,7 @@
if (fw->getOptionsObject()->getBool("use_iptables_restore"))
{
- if (!reset_script.empty() && !filter_script.empty())
+ if (!filter_script.empty())
{
script << "echo '*filter'\n";
script << reset_script;
@@ -197,6 +202,7 @@
bool CompilerDriver_ipt::processPolicyRuleSet(
Firewall *fw,
FWObject *ruleset,
+ const string &single_rule_id,
ostringstream &filter_table_stream,
ostringstream &mangle_table_stream,
ostringstream &automatic_rules_stream,
@@ -229,19 +235,18 @@
bool ipv6_policy = (policy_af == AF_INET6);
- MangleTableCompiler_ipt *mangle_compiler;
+ std::auto_ptr<MangleTableCompiler_ipt> mangle_compiler(
+ new MangleTableCompiler_ipt(objdb , fw,
+ ipv6_policy , oscnf,
+ &minus_n_commands_mangle ));
- mangle_compiler = new MangleTableCompiler_ipt(
- objdb , current_firewall_name.toUtf8().constData(),
- ipv6_policy , oscnf,
- &minus_n_commands_mangle );
-
if (!policy->isTop())
mangle_compiler->registerRuleSetChain(branch_name);
mangle_compiler->setSourceRuleSet( policy );
mangle_compiler->setRuleSetName(branch_name);
+ mangle_compiler->setSingleRuleCompileMode(single_rule_id);
mangle_compiler->setDebugLevel( dl );
if (rule_debug_on) mangle_compiler->setDebugRule( drp );
mangle_compiler->setVerbose( (bool)(verbose) );
@@ -313,19 +318,19 @@
}
}
- PolicyCompiler_ipt *policy_compiler = NULL;
+ std::auto_ptr<PolicyCompiler_ipt> policy_compiler;
if (fw->getStr("host_OS") == "secuwall") {
- policy_compiler = new PolicyCompiler_secuwall(
- objdb,current_firewall_name.toUtf8().constData(), ipv6_policy, oscnf,
- &minus_n_commands_filter);
+ policy_compiler = std::auto_ptr<PolicyCompiler_ipt>(
+ new PolicyCompiler_secuwall(objdb,fw, ipv6_policy, oscnf,
+ &minus_n_commands_filter));
} else {
- policy_compiler = new PolicyCompiler_ipt(
- objdb,current_firewall_name.toUtf8().constData(), ipv6_policy, oscnf,
- &minus_n_commands_filter);
+ policy_compiler = std::auto_ptr<PolicyCompiler_ipt>(
+ new PolicyCompiler_ipt(objdb,fw, ipv6_policy, oscnf,
+ &minus_n_commands_filter));
}
- if (policy_compiler==NULL)
+ if (policy_compiler.get()==NULL)
throw FWException("Unrecognized firewall platform " +
fw->getStr("platform") +
" (family " + platform_family+")");
@@ -336,6 +341,7 @@
policy_compiler->setSourceRuleSet( policy );
policy_compiler->setRuleSetName(branch_name);
+ policy_compiler->setSingleRuleCompileMode(single_rule_id);
policy_compiler->setDebugLevel( dl );
if (rule_debug_on) policy_compiler->setDebugRule( drp );
policy_compiler->setVerbose( (bool)(verbose) );
Modified: branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.h
===================================================================
--- branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -55,11 +55,9 @@
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
- /*
- * Kitchen sink method that copies steps previously implemented in main()
- */
- virtual void run(const std::string &cluster_id,
- const std::string &firewall_id);
+ virtual std::string run(const std::string &cluster_id,
+ const std::string &firewall_id,
+ const std::string &single_rule_id);
void assignRuleSetChain(libfwbuilder::RuleSet *ruleset);
void findBranchesInMangleTable(libfwbuilder::Firewall*,
@@ -75,6 +73,7 @@
bool processPolicyRuleSet(
libfwbuilder::Firewall *fw,
libfwbuilder::FWObject *ruleset,
+ const std::string &single_rule_id,
std::ostringstream &filter_table_stream,
std::ostringstream &mangle_table_stream,
std::ostringstream &automatic_rules_stream,
Modified: branches/v3_1_secunet/src/ipt/CompilerDriver_ipt_run.cpp
===================================================================
--- branches/v3_1_secunet/src/ipt/CompilerDriver_ipt_run.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipt/CompilerDriver_ipt_run.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -48,6 +48,7 @@
#include <assert.h>
#include <cstring>
#include <iomanip>
+#include <memory>
#include "CompilerDriver_ipt.h"
@@ -99,8 +100,9 @@
* operates with a copy of the object database which is not exposed
* outside, so the caller can not provide pointers to these obejcts.
*/
-void CompilerDriver_ipt::run(const std::string &cluster_id,
- const std::string &firewall_id)
+string CompilerDriver_ipt::run(const std::string &cluster_id,
+ const std::string &firewall_id,
+ const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
@@ -111,6 +113,9 @@
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
+ // Copy rules from the cluster object
+ populateClusterElements(cluster, fw);
+
commonChecks2(cluster, fw);
string fw_version = fw->getStr("version");
@@ -140,7 +145,7 @@
bool debug=options->getBool("debug");
QString shell_dbg = (debug)?"set -x":"" ;
- OSConfigurator_linux24 *oscnf = NULL;
+ std::auto_ptr<OSConfigurator_linux24> oscnf;
string platform_family = Resources::platform_res[platform]->
getResourceStr("/FWBuilderResources/Target/family");
@@ -172,19 +177,19 @@
// in states ESTABLISHED,RELATED
fw->getOptionsObject()->setBool("accept_established", false);
- oscnf = new OSConfigurator_ipcop(
- objdb , current_firewall_name.toUtf8().constData(), false);
+ oscnf = std::auto_ptr<OSConfigurator_linux24>(
+ new OSConfigurator_ipcop(objdb , fw, false));
}
if (os_family == "linux24" || os_family == "sveasoft")
- oscnf = new OSConfigurator_linux24(
- objdb , current_firewall_name.toUtf8().constData(), false);
+ oscnf = std::auto_ptr<OSConfigurator_linux24>(
+ new OSConfigurator_linux24(objdb , fw, false));
if (os_family == "secuwall")
- oscnf = new OSConfigurator_secuwall(
- objdb , current_firewall_name.toUtf8().constData(), false);
+ oscnf = std::auto_ptr<OSConfigurator_linux24>(
+ new OSConfigurator_secuwall(objdb , fw, false));
- if (oscnf==NULL)
+ if (oscnf.get()==NULL)
throw FWException("Unrecognized host OS " +
fw->getStr("host_OS") +
" (family " + os_family+")");
@@ -278,7 +283,7 @@
if (nat_count || policy_count)
{
Preprocessor* prep = new Preprocessor(
- objdb , current_firewall_name.toUtf8().constData(), ipv6_policy);
+ objdb , fw, ipv6_policy);
if (test_mode) prep->setTestMode();
prep->compile();
delete prep;
@@ -304,15 +309,14 @@
// compile NAT rules before policy rules because policy
// compiler needs to know the number of virtual addresses
// being created for NAT
- NATCompiler_ipt *nat_compiler;
+ std::auto_ptr<NATCompiler_ipt> nat_compiler(
+ new NATCompiler_ipt(objdb, fw, ipv6_policy,
+ oscnf.get(), &minus_n_commands_nat));
- nat_compiler = new NATCompiler_ipt(
- objdb, current_firewall_name.toUtf8().constData(), ipv6_policy,
- oscnf, &minus_n_commands_nat);
-
nat_compiler->setSourceRuleSet( nat );
nat_compiler->setRuleSetName(branch_name);
+ nat_compiler->setSingleRuleCompileMode(single_rule_id);
nat_compiler->setDebugLevel( dl );
if (rule_debug_on) nat_compiler->setDebugRule( drn );
nat_compiler->setVerbose( (bool)(verbose) );
@@ -363,16 +367,17 @@
if (! processPolicyRuleSet(
fw,
policy,
+ single_rule_id,
filter_rules_stream,
mangle_rules_stream,
automaitc_rules_stream,
- oscnf,
+ oscnf.get(),
policy_af,
minus_n_commands_filter,
minus_n_commands_mangle)) empty_output = false;
}
- if (!empty_output)
+ if (!empty_output && !single_rule_compile_on)
{
if (ipv6_policy)
{
@@ -396,11 +401,10 @@
ipv6_policy);
}
- RoutingCompiler_ipt *routing_compiler;
+ std::auto_ptr<RoutingCompiler_ipt> routing_compiler(
+ new RoutingCompiler_ipt(objdb, fw, false, oscnf.get()));
- routing_compiler = new RoutingCompiler_ipt(
- objdb , current_firewall_name.toUtf8().constData() , false, oscnf );
-
+ routing_compiler->setSingleRuleCompileMode(single_rule_id);
routing_compiler->setDebugLevel( dl );
if (rule_debug_on) routing_compiler->setDebugRule(drp);
routing_compiler->setVerbose( verbose );
@@ -412,6 +416,13 @@
routing_compiler->epilog();
}
+ if (single_rule_compile_on)
+ {
+ // in single rule compile mode just return the result
+ return generated_script + routing_compiler->getCompiledScript();
+ }
+
+
/*
* These store generated configuration internally, extract it later using
* OSConfiguration::getGeneratedFiles();
@@ -653,10 +664,8 @@
fw_file_name.toStdString() +
" for writing");
}
-
- /* Cleanup ressources */
- delete oscnf;
-
+
+ return "";
}
Modified: branches/v3_1_secunet/src/ipt/MangleTableCompiler_ipt.h
===================================================================
--- branches/v3_1_secunet/src/ipt/MangleTableCompiler_ipt.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipt/MangleTableCompiler_ipt.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -46,12 +46,12 @@
public:
MangleTableCompiler_ipt(libfwbuilder::FWObjectDatabase *_db,
- const std::string &fwname,
+ libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf,
std::map<const std::string, bool> *m_n_cmd_map
) :
- PolicyCompiler_ipt(_db, fwname, ipv6_policy, _oscnf, m_n_cmd_map)
+ PolicyCompiler_ipt(_db, fw, ipv6_policy, _oscnf, m_n_cmd_map)
{
my_table = "mangle";
}
Modified: branches/v3_1_secunet/src/ipt/NATCompiler_PrintRule.cpp
===================================================================
--- branches/v3_1_secunet/src/ipt/NATCompiler_PrintRule.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipt/NATCompiler_PrintRule.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -153,8 +153,11 @@
{
ostringstream res;
- bool nocomm=Resources::os_res[compiler->fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_comments");
+ bool nocomm =
+ Resources::os_res[compiler->fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_comments");
+ if (compiler->inSingleRuleCompileMode()) return "";
+
string rl=rule->getLabel();
if (rl!=current_rule_label)
{
Modified: branches/v3_1_secunet/src/ipt/NATCompiler_ipt.cpp
===================================================================
--- branches/v3_1_secunet/src/ipt/NATCompiler_ipt.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipt/NATCompiler_ipt.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -2203,6 +2203,8 @@
add( new printTotalNumberOfRules());
+ add( new singleRuleFilter());
+
add( new recursiveGroupsInOSrc("check for recursive groups in OSRC"));
add( new recursiveGroupsInODst("check for recursive groups in ODST"));
add( new recursiveGroupsInOSrv("check for recursive groups in OSRV"));
Modified: branches/v3_1_secunet/src/ipt/NATCompiler_ipt.h
===================================================================
--- branches/v3_1_secunet/src/ipt/NATCompiler_ipt.h 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipt/NATCompiler_ipt.h 2009-08-27 05:03:34 UTC (rev 1353)
@@ -574,11 +574,11 @@
public:
NATCompiler_ipt(libfwbuilder::FWObjectDatabase *_db,
- const std::string &fwname,
+ libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf,
std::map<const std::string, bool> *m_n_commands_map) :
- NATCompiler(_db, fwname, ipv6_policy, _oscnf)
+ NATCompiler(_db, fw, ipv6_policy, _oscnf)
{
have_dynamic_interfaces=false;
printRule=NULL;
Modified: branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.cpp
===================================================================
--- branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.cpp 2009-08-26 21:31:39 UTC (rev 1352)
+++ branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.cpp 2009-08-27 05:03:34 UTC (rev 1353)
@@ -36,9 +36,9 @@
string OSConfigurator_ipcop::myPlatformName() { return "ipcop"; }
OSConfigurator_ipcop:...
[truncated message content] |
Thanks for helping keep SourceForge clean.
X