Thread: [fwbuilder-commits] r1353 - in branches/v3_1_secunet: . doc src/cisco_lib src/compiler_lib src/iosa
Brought to you by:
mikehorn
From: <va...@in...> - 2009-08-27 05:05:40
|
Author: vadim Date: 2009-08-26 22:03:34 -0700 (Wed, 26 Aug 2009) New Revision: 1353 Modified: branches/v3_1_secunet/build_num branches/v3_1_secunet/doc/ChangeLog branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.cpp branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.h branches/v3_1_secunet/src/cisco_lib/RoutingCompiler_cisco.h branches/v3_1_secunet/src/compiler_lib/CompilerDriver.cpp branches/v3_1_secunet/src/compiler_lib/CompilerDriver.h branches/v3_1_secunet/src/compiler_lib/compiler_lib.pro branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl.h branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl_run.cpp branches/v3_1_secunet/src/iosacl/OSConfigurator_ios.h branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.cpp branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.h branches/v3_1_secunet/src/iosacl/RoutingCompiler_iosacl.h branches/v3_1_secunet/src/ipf/CompilerDriver_ipf.h branches/v3_1_secunet/src/ipf/CompilerDriver_ipf_run.cpp branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw.h branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw_run.cpp branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.cpp branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.h branches/v3_1_secunet/src/ipt/CompilerDriver_ipt_run.cpp branches/v3_1_secunet/src/ipt/MangleTableCompiler_ipt.h branches/v3_1_secunet/src/ipt/NATCompiler_PrintRule.cpp branches/v3_1_secunet/src/ipt/NATCompiler_ipt.cpp branches/v3_1_secunet/src/ipt/NATCompiler_ipt.h branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.cpp branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.h branches/v3_1_secunet/src/ipt/OSConfigurator_linux24.cpp branches/v3_1_secunet/src/ipt/OSConfigurator_linux24.h branches/v3_1_secunet/src/ipt/OSConfigurator_secuwall.cpp branches/v3_1_secunet/src/ipt/OSConfigurator_secuwall.h branches/v3_1_secunet/src/ipt/PolicyCompiler_PrintRule.cpp branches/v3_1_secunet/src/ipt/PolicyCompiler_ipt.cpp branches/v3_1_secunet/src/ipt/PolicyCompiler_ipt.h branches/v3_1_secunet/src/ipt/PolicyCompiler_secuwall.cpp branches/v3_1_secunet/src/ipt/PolicyCompiler_secuwall.h branches/v3_1_secunet/src/ipt/RoutingCompiler_ipt.cpp branches/v3_1_secunet/src/ipt/RoutingCompiler_ipt.h branches/v3_1_secunet/src/pf/CompilerDriver_pf.h branches/v3_1_secunet/src/pf/CompilerDriver_pf_run.cpp branches/v3_1_secunet/src/pflib/NATCompiler_ipf.h branches/v3_1_secunet/src/pflib/NATCompiler_ipfw.h branches/v3_1_secunet/src/pflib/NATCompiler_pf.h branches/v3_1_secunet/src/pflib/OSConfigurator_bsd.h branches/v3_1_secunet/src/pflib/OSConfigurator_freebsd.h branches/v3_1_secunet/src/pflib/OSConfigurator_macosx.h branches/v3_1_secunet/src/pflib/OSConfigurator_openbsd.h branches/v3_1_secunet/src/pflib/OSConfigurator_solaris.h branches/v3_1_secunet/src/pflib/PolicyCompiler_ipf.h branches/v3_1_secunet/src/pflib/PolicyCompiler_ipfw.h branches/v3_1_secunet/src/pflib/PolicyCompiler_pf.h branches/v3_1_secunet/src/pflib/Preprocessor_pf.h branches/v3_1_secunet/src/pix/CompilerDriver_pix.cpp branches/v3_1_secunet/src/pix/CompilerDriver_pix.h branches/v3_1_secunet/src/pix/CompilerDriver_pix_run.cpp branches/v3_1_secunet/src/pix/NATCompiler_pix.cpp branches/v3_1_secunet/src/pix/NATCompiler_pix.h branches/v3_1_secunet/src/pix/OSConfigurator_pix_os.h branches/v3_1_secunet/src/pix/PolicyCompiler_pix.cpp branches/v3_1_secunet/src/pix/PolicyCompiler_pix.h branches/v3_1_secunet/src/pix/RoutingCompiler_pix.h Log: 2009-08-26 vadim <va...@vk...> * CompilerDriver.cpp (CompilerDriver::populateClusterElements): moved this method from class Compiler. fixes #367 * CompilerDriver_compile.cpp (compileSingleRule): entry point for single rule compile. Takes one argument - rule ID and returns a QMap<QString,QString> where key is firewall name and value is generated script for this rule. Currently using this entry point in the command line compilers via cli argument -s rule_id. Fully implemented in fwb_ipt. Fixes #358, #206 * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): using std::auto_ptr to protect OSConfigurator, PolicyCompiler and NATCompiler objects and to properly delete them to avoid memory leaks in fwb_ipt. fixes #371 Modified: branches/v3_1_secunet/build_num =================================================================== --- branches/v3_1_secunet/build_num 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/build_num 2009-08-27 05:03:34 UTC (rev 1353) @@ -1 +1 @@ -#define BUILD_NUM 1351 +#define BUILD_NUM 1352 Modified: branches/v3_1_secunet/doc/ChangeLog =================================================================== --- branches/v3_1_secunet/doc/ChangeLog 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/doc/ChangeLog 2009-08-27 05:03:34 UTC (rev 1353) @@ -1,3 +1,20 @@ +2009-08-26 vadim <va...@vk...> + + * CompilerDriver.cpp (CompilerDriver::populateClusterElements): + moved this method from class Compiler. fixes #367 + + * CompilerDriver_compile.cpp (compileSingleRule): entry point for + single rule compile. Takes one argument - rule ID and returns a + QMap<QString,QString> where key is firewall name and value is + generated script for this rule. Currently using this entry point + in the command line compilers via cli argument -s rule_id. Fully + implemented in fwb_ipt. Fixes #358, #206 + + * CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): using + std::auto_ptr to protect OSConfigurator, PolicyCompiler and + NATCompiler objects and to properly delete them to avoid memory + leaks in fwb_ipt. fixes #371 + 2009-08-24 vadim <va...@vk...> * CompilerDriver.cpp (CompilerDriver::commonChecks2): refactored Modified: branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.cpp =================================================================== --- branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -61,10 +61,10 @@ string PolicyCompiler_cisco::myPlatformName() { return ""; } PolicyCompiler_cisco::PolicyCompiler_cisco(FWObjectDatabase *_db, - const std::string &fwname, + Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) : - PolicyCompiler(_db, fwname, ipv6_policy, _oscnf) , helper(this) + PolicyCompiler(_db, fw, ipv6_policy, _oscnf) , helper(this) { } Modified: branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.h =================================================================== --- branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/cisco_lib/PolicyCompiler_cisco.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -434,7 +434,7 @@ public: PolicyCompiler_cisco(libfwbuilder::FWObjectDatabase *_db, - const std::string &fwname, + libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); virtual ~PolicyCompiler_cisco() {} Modified: branches/v3_1_secunet/src/cisco_lib/RoutingCompiler_cisco.h =================================================================== --- branches/v3_1_secunet/src/cisco_lib/RoutingCompiler_cisco.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/cisco_lib/RoutingCompiler_cisco.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -114,9 +114,9 @@ RoutingCompiler_cisco::PrintRule *printRule; RoutingCompiler_cisco(libfwbuilder::FWObjectDatabase *_db, - const std::string &fwname, bool ipv6_policy, + libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : - RoutingCompiler(_db, fwname, ipv6_policy, _oscnf) {} + RoutingCompiler(_db, fw, ipv6_policy, _oscnf) {} virtual int prolog(); virtual void compile(); Modified: branches/v3_1_secunet/src/compiler_lib/CompilerDriver.cpp =================================================================== --- branches/v3_1_secunet/src/compiler_lib/CompilerDriver.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/compiler_lib/CompilerDriver.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -53,7 +53,9 @@ #include "fwbuilder/IPv4.h" #include "fwbuilder/IPv6.h" #include "fwbuilder/Rule.h" -#include "fwbuilder/RuleSet.h" +#include "fwbuilder/Policy.h" +#include "fwbuilder/NAT.h" +#include "fwbuilder/Routing.h" #include "fwbuilder/Resources.h" #include "fwbuilder/StateSyncClusterGroup.h" #include "fwbuilder/FailoverClusterGroup.h" @@ -78,6 +80,7 @@ dl = 0; drp = -1; rule_debug_on = false; + single_rule_compile_on = false; drn = -1; verbose = 0; have_dynamic_interfaces = false; @@ -101,68 +104,6 @@ return new CompilerDriver(objdb); } -bool CompilerDriver::prepare(const QStringList &_args) -{ - args = _args; - - if (!configure(args)) return false; - - Firewall *fw = locateObject(); - - if (fw == NULL) - { - cerr << "Firewall or cluster object not found" << endl; - return false; - } - return true; -} - -void CompilerDriver::compile() -{ - Firewall *fw = locateObject(); - if (Cluster::isA(fw)) - { - commonChecks(fw); - // compiling cluster. - list<Firewall*> members; - Cluster::cast(fw)->getMembersList(members); - for (list<Firewall*>::iterator it=members.begin(); it!=members.end(); ++it) - { - cout << endl; - cout << " Firewall " << (*it)->getName() - << " member of cluster " << fw->getName() - << endl; - - CompilerDriver *cl_driver = clone(); - cl_driver->configure(args); - cl_driver->chDir(); - cl_driver->run(objdb->getStringId(fw->getId()), - objdb->getStringId((*it)->getId())); - delete cl_driver; - } - } - else - { - chDir(); - commonChecks(fw); - run("", objdb->getStringId(fw->getId())); - } -} - -/* - * Compile single rule and return generated code. Rule is defined by - * its ID, this is sufficient to locate the rule, ruleset and firewall - * objects. If ruleset belongs to a cluster, compile all members and - * return code generated for all of them. Returned code is placed in - * QMap where the key is member firewall name and value is generated - * script. If the rule belongs to a firewall rather than a cluster, - * returned QMap contains one item. - */ -QMap<QString,QString> CompilerDriver::compileSingleRule(const std::string &rule_id) -{ - -} - bool CompilerDriver::configure(const QStringList &args) { QString last_arg; @@ -264,6 +205,14 @@ rule_debug_on = true; continue; } + + if (arg == "-s") + { + idx++; + single_rule_id = args.at(idx).toStdString(); + single_rule_compile_on = true; + continue; + } } fwobjectname = last_arg; @@ -289,9 +238,6 @@ void CompilerDriver::commonChecks(Firewall *fw) { - // Temporary compiler object, need it to copy rules and process errors - Compiler *compiler = new Compiler(objdb, fw->getName(), false); - if (Cluster::isA(fw)) { Cluster *cluster = Cluster::cast(fw); @@ -311,7 +257,7 @@ string err = string("Member firewalls use the same output file name ") + ofname; - compiler->abort(err); + throw FWException(err); } output_file_names.insert(ofname); } @@ -323,9 +269,6 @@ QString current_firewall_name = fw->getName().c_str(); string host_os = fw->getStr("host_OS"); - // Temporary compiler object, need it to copy rules and process errors - Compiler *compiler = new Compiler(objdb, fw->getName(), false); - if (cluster) { // firewall is a member of a cluster. @@ -334,16 +277,10 @@ processStateSyncGroups(cluster, fw); - // Copy rules from the cluster object - // Need temporary compiler object for this. - compiler->populateClusterElements(cluster, fw); - // some initial sanity checks validateClusterGroups(cluster); } - delete compiler; - list<FWObject*> interfaces = fw->getByTypeDeep(Interface::TYPENAME); for (list<FWObject*>::iterator i=interfaces.begin(); i!=interfaces.end(); ++i) { @@ -561,15 +498,13 @@ imported_policies.begin(), imported_policies.end()); } -void CompilerDriver::run(const std::string&, const std::string&) +string CompilerDriver::run(const std::string&, const std::string&, const std::string&) { + return ""; } void CompilerDriver::validateClusterGroups(Cluster *cluster) { - // Temporary compiler object, need it to process errors - Compiler *compiler = new Compiler(objdb, cluster->getName(), false); - string host_os = cluster->getStr("host_OS"); Resources* os_res = Resources::os_res[host_os]; if (os_res==NULL) return; @@ -586,7 +521,7 @@ if (!isSupported(&state_sync_protocols, state_sync_type)) { QString err("State sync group type %1 is not supported"); - compiler->abort(err.arg(state_sync_type.c_str()).toStdString()); + throw FWException(err.arg(state_sync_type.c_str()).toStdString()); } } @@ -602,11 +537,9 @@ if (!isSupported(&failover_protocols, failover_type)) { QString err("Failover group type %1 is not supported"); - compiler->abort(err.arg(failover_type.c_str()).toStdString()); + throw FWException(err.arg(failover_type.c_str()).toStdString()); } } - - delete compiler; } bool CompilerDriver::isSupported(list<string> *protocols, const string &cluster_group_type) @@ -665,4 +598,317 @@ return str.join("\n"); } +/* + * 1. Iterate over all fw interfaces and check if they are referenced in a + * ClusterGroup. + * -> if yes then make copy of vrrp interface and set BASEDEV accordingly + * 2. clear Policy, NAT & Routing rules of the firewall, then copy cluster + * policy, NAT and routing rules. + */ +int CompilerDriver::populateClusterElements(Cluster *cluster, Firewall *fw) +{ + if (cluster==NULL) return 0; + int addedPolicies = 0; + set<string> state_sync_types; + + checkCluster(cluster); + + for (FWObjectTypedChildIterator it = cluster->findByType(StateSyncClusterGroup::TYPENAME); + it != it.end(); ++it) + { + StateSyncClusterGroup *state_sync_group = StateSyncClusterGroup::cast(*it); + /* For the state syncing cluster group, hierarchy looks like this: + * Cluster->StateSyncClusterGroup->ObjectRef + */ + string grp_type = state_sync_group->getStr("type"); + if (state_sync_types.count(grp_type) > 0) + throw FWException("Several state synchronization groups of the same type in one cluster object."); + + state_sync_types.insert(grp_type); + + for (FWObjectTypedChildIterator it = + state_sync_group->findByType(FWObjectReference::TYPENAME); + it != it.end(); ++it) + { + Interface *iface = Interface::cast(FWObjectReference::getObject(*it)); + assert(iface); + //processStateSyncGroup(cluster, fw, state_sync_group, iface); + + iface->getOptionsObject()->setBool("state_sync_group_member", true); + iface->getOptionsObject()->setStr( + "state_sync_group_id", + FWObjectDatabase::getStringId(state_sync_group->getId())); + string master_id = state_sync_group->getStr("master_iface"); + string iface_str_id = FWObjectDatabase::getStringId(iface->getId()); + iface->getOptionsObject()->setBool("state_sync_master", + master_id == iface_str_id); + fw->getOptionsObject()->setBool("cluster_member", true); + } + } + + /* For VRRP references the hierarchy is as follows: + * Cluster->Interface->FailoverClusterGroup->ObjectRef + */ + FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME); + for (; cl_iface != cl_iface.end(); ++cl_iface) + { + FailoverClusterGroup *failover_group = + FailoverClusterGroup::cast( + (*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME)); + if (failover_group) + { + for (FWObjectTypedChildIterator it = + failover_group->findByType(FWObjectReference::TYPENAME); + it != it.end(); ++it) + { + Interface *iface = Interface::cast(FWObjectReference::getObject(*it)); + assert(iface); + // We need to do some sanity checks of cluster + // interfaces for VRRP and then add them to the + // firewall object. + // These actions are very generic and have nothing specific + // to VRRP. Unless new protocol is added that requires + // something radically different, will always call this method + // for failover groups. + //if (failover_group->getStr("type") == "vrrp") + if (iface->isChildOf(fw)) + copyFailoverInterface(cluster, fw, failover_group, iface); + } + } else + { + // cluster interface without failover group + // is this a loopback interface ? + Interface *cluster_interface = Interface::cast(*cl_iface); + if (cluster_interface->isLoopback()) + { + /* Add copy of the interface from the cluster to the + * firewall object so that when it is encountered in + * the "intrface" rule element of its rules, it + * belongs to the firewall and is therefore valid. + */ + Interface* new_cl_if = Interface::cast(fw->addCopyOf(cluster_interface, true)); + assert(new_cl_if != NULL); + new_cl_if->getOptionsObject()->setBool("cluster_interface", true); + } + } + } + + int fw_direct_rules_count = fw->getPolicy()->size() + + fw->getNAT()->size() + fw->getRouting()->size(); + + if (fw_direct_rules_count > 0) + { + cout << "Warning: ignoring firewall policy (" << fw->getName(); + cout << ") since firewall is a cluster member." << endl; + } + + fw->getPolicy()->clear(); + fw->getNAT()->clear(); + fw->getRouting()->clear(); + +// Copy PolicyRules from the cluster. + /* Policy rules */ + Policy* cluster_policy = cluster->getPolicy(); + Policy* fw_policy = fw->getPolicy(); + if (cluster_policy) + { + cluster_policy->setName("Cluster-Policy"); + for(int i = 0; i < cluster_policy->getRuleSetSize(); i++) + { + /* Add rule to firewall policy. New rule in the fw rule set + * has the same ID. + */ + PolicyRule* rule = PolicyRule::cast(cluster_policy->getRuleByNum(i)); + PolicyRule::cast(fw_policy->addCopyOf(rule, false)); + addedPolicies++; + } + } + + /* NAT rules */ + NAT* cluster_nat = cluster->getNAT(); + NAT* fw_nat = fw->getNAT(); + if (cluster_nat) + { + cluster_nat->setName("Cluster-NAT"); + for (int i = 0; i < cluster_nat->getRuleSetSize(); i++) + { + /* Add rule to firewall policy */ + NATRule* rule = NATRule::cast(cluster_nat->getRuleByNum(i)); + NATRule::cast(fw_nat->addCopyOf(rule, false)); + addedPolicies++; + } + } + + /* Routing rules */ + Routing* cluster_routes = cluster->getRouting(); + Routing* fw_routes = fw->getRouting(); + if (cluster_routes) + { + cluster_routes->setName("Cluster-Routing"); + for(int i = 0; i < cluster_routes->getRuleSetSize(); i++) + { + /* Add rule to firewall policy */ + RoutingRule* rule = RoutingRule::cast(cluster_routes->getRuleByNum(i)); + RoutingRule::cast(fw_routes->addCopyOf(rule, false)); + addedPolicies++; + } + } + + // finally need to remember cluster object ID so that compiler can later + // associate it in rules with the firewall. + // + // The alternative is to find all references to the cluster object + // in rules and replace them with refs to the firewall. That could + // be done either in prolog or in a special rule processor. It is + // _much_ cheaper to just remember cluster ID though. + fw->setInt("parent_cluster_id", cluster->getId()); + + return addedPolicies; +} + +/* + * Perform checks for fialover interfaces and their addresses, add a + * copy of failover interface form the cluster to the firewall object. + * + * This method assumes the following: + * + * - Failover interface owns its ip address which is different from + * addresses of either firewall + * + * - address of the failover interface must be on the same subnet as + * addresses of the firewalls (perhaps this restriction can be + * lifted? Was originally implemented by Secunet folks like this) + */ +void CompilerDriver::copyFailoverInterface(Cluster *cluster, + Firewall *fw, + FailoverClusterGroup *cluster_group, + Interface *iface) +{ + Interface* cluster_if = Interface::cast(cluster_group->getParent()); + assert(cluster_if != NULL); + string cluster_if_name = cluster_if->getName(); + + /* Check that VRRP interface and fw interface are in same subnet. + * Exception: if interface is dynamic and does not have an ip address in + * fwbuilder configuration, assume it is ok. + */ + if (iface->isRegular()) + { + const Address *iface_addr = iface->getAddressObject(); + // even regular interface may have no address if user forgot + // to add one, so check if iface_addr == NULL + // Also check if cluster interface has ip address, it does not + // always need one. + + if (iface_addr && cluster_if->getAddressObject() && + !isReachable(cluster_if->getAddressObject(), iface_addr->getAddressPtr()) + ) + { + cerr << " Warning: " + << cluster_if_name + << " and " + << iface->getName() + << " are not in the same subnet." << endl; + } + } + + assert(fw->getOptionsObject() != NULL); + + iface->getOptionsObject()->setStr( + "failover_group_id", FWObjectDatabase::getStringId(cluster_group->getId())); + + /* Add copy of the cluster interface to the firewall object + * + * While adding a copy of cluster interface to the firewall, make + * sure it has new unique ID instead of a copy of the ID of the + * cluster's interface object. If the ID is the same, + * RuleElementItf::validateChild() finds clusters' interface which + * is not a child of the firewall object and therefore is + * rejected. + */ + Interface* new_cl_if = Interface::cast(fw->addCopyOf(cluster_if, true)); + assert(new_cl_if != NULL); + new_cl_if->getOptionsObject()->setBool("cluster_interface", true); + new_cl_if->getOptionsObject()->setStr("base_device", iface->getName()); + new_cl_if->getOptionsObject()->setStr( + "base_interface_id", FWObjectDatabase::getStringId(iface->getId())); + + /* Set master property if interface is referenced + * as master_iface + */ + string master_id = cluster_group->getStr("master_iface"); + string iface_str_id = FWObjectDatabase::getStringId(iface->getId()); + + new_cl_if->getOptionsObject()->setBool("failover_master", + master_id == iface_str_id); + + fw->getOptionsObject()->setBool("cluster_member", true); + + /* Add copy of firewall's real interface to the cluster to make sure + * compiler recognizes it when it encounters cluster object in rules. + * This fixes #15 (makes compiler choose correct chains) + */ + cluster->addCopyOf(iface, true); +} + +/* + * Verify that there is at least one Cluster interface and that all + * have unique names and IP addresses. + */ +int CompilerDriver::checkCluster(Cluster* cluster) +{ + assert(cluster != NULL); + FWObjectTypedChildIterator cluster_ifaces = cluster->findByType(Interface::TYPENAME); + if (cluster_ifaces == cluster_ifaces.end()) + { + /* No configured cluster interface present */ + ostringstream str; + str << "The cluster has no interfaces." << endl; + throw FWException(str.str()); + } + + for (; cluster_ifaces != cluster_ifaces.end(); ++cluster_ifaces) + { + string iface_name = Interface::cast(*cluster_ifaces)->getName(); + const InetAddr* iface_address = Interface::cast(*cluster_ifaces)->getAddressPtr(); + if (iface_address==NULL) continue; // cluster interface with no address + FWObjectTypedChildIterator other_ifaces = cluster_ifaces; + for (++other_ifaces; other_ifaces != cluster_ifaces.end(); ++other_ifaces) + { + if (iface_name == Interface::cast(*other_ifaces)->getName()) + { + ostringstream str; + str << "Found duplicate cluster interface name " << iface_name << "." << endl; + throw FWException(str.str()); + } + const InetAddr *other_iface_address = Interface::cast(*other_ifaces)->getAddressPtr(); + if (other_iface_address==NULL) continue; // cluster interface with no address + if (*iface_address == *other_iface_address) + { + ostringstream str; + str << "Found duplicate cluster interface address "; + str << iface_address->toString() << "." << endl; + throw FWException(str.str()); + } + } + } + + return 0; +} + +bool CompilerDriver::isReachable(const Address* const client, + const InetAddr* const server) +{ + const InetAddr *addr = client->getAddressPtr(); + const InetAddr *netm = client->getNetmaskPtr(); + if (addr) + { + InetAddrMask fw_net(*addr, *netm); + if (fw_net.belongs(*server)) + return true; + } + return false; +} + + Modified: branches/v3_1_secunet/src/compiler_lib/CompilerDriver.h =================================================================== --- branches/v3_1_secunet/src/compiler_lib/CompilerDriver.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/compiler_lib/CompilerDriver.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -40,6 +40,7 @@ class FWObjectDatabase; class Cluster; class ClusterGroup; + class FailoverClusterGroup; class Firewall; class RuleSet; class Interface; @@ -67,6 +68,8 @@ int dl; int drp; bool rule_debug_on; + bool single_rule_compile_on; + std::string single_rule_id; int drn; int verbose; bool have_dynamic_interfaces; @@ -87,6 +90,12 @@ bool isSupported(std::list<std::string> *protocols, const std::string &cluster_group_type); + virtual int checkCluster(libfwbuilder::Cluster* cluster); + + // checks if address @addr belongs to the subnet defined by @subnet + static bool isReachable(const libfwbuilder::Address* const subnet, + const libfwbuilder::InetAddr* const addr); + public: CompilerDriver(libfwbuilder::FWObjectDatabase *db); @@ -94,14 +103,40 @@ // create a copy of itself, including objdb virtual CompilerDriver* clone(); - + + /** + * Process command line arguments + */ virtual bool configure(const QStringList &args); - virtual void run(const std::string &cluster_id, const std::string &firewall_id); + /** + * create right compiler objects and compile policy, nat and + * routing rules for given firewall which can be a member of a + * cluster. If firewall is standalone, @cluster_id is an empty + * string. Cluster and firewall are defined by their string IDs. + * In single compile mode rule ID is provided in @single_rule_id + * and generated script is returned. For compilers that create + * several files it is up to the actual cmopiler class to decide + * what should be returned in the single rule compile mode. In + * normal (not single rule) compile mode returned string is + * undefined and should not be used. + */ + virtual std::string run(const std::string &cluster_id, + const std::string &firewall_id, + const std::string &single_rule_id); + virtual void commonChecks(libfwbuilder::Firewall *fw); virtual void commonChecks2(libfwbuilder::Cluster *cluster, libfwbuilder::Firewall *fw); + void copyFailoverInterface(libfwbuilder::Cluster *cluster, + libfwbuilder::Firewall *fw, + libfwbuilder::FailoverClusterGroup *cluster_group, + libfwbuilder::Interface *iface); + + virtual int populateClusterElements(libfwbuilder::Cluster *cluster, + libfwbuilder::Firewall *fw); + virtual void processStateSyncGroups(libfwbuilder::Cluster*, libfwbuilder::Firewall*) {}; Modified: branches/v3_1_secunet/src/compiler_lib/compiler_lib.pro =================================================================== --- branches/v3_1_secunet/src/compiler_lib/compiler_lib.pro 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/compiler_lib/compiler_lib.pro 2009-08-27 05:03:34 UTC (rev 1353) @@ -8,6 +8,7 @@ TEMPLATE = lib SOURCES = CompilerDriver.cpp \ + CompilerDriver_compile.cpp \ Configlet.cpp \ linux24Interfaces.cpp \ interfacePropertiesObjectFactory.cpp Modified: branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl.h =================================================================== --- branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -58,11 +58,9 @@ // create a copy of itself, including objdb virtual CompilerDriver* clone(); - /* - * Kitchen sink method that copies steps previously implemented in main() - */ - virtual void run(const std::string &cluster_id, - const std::string &firewall_id); + virtual std::string run(const std::string &cluster_id, + const std::string &firewall_id, + const std::string &single_rule_id); }; Modified: branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl_run.cpp =================================================================== --- branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl_run.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/iosacl/CompilerDriver_iosacl_run.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -84,8 +84,9 @@ using namespace libfwbuilder; using namespace fwcompiler; -void CompilerDriver_iosacl::run(const std::string &cluster_id, - const std::string &firewall_id) +string CompilerDriver_iosacl::run(const std::string &cluster_id, + const std::string &firewall_id, + const std::string &single_rule_id) { if (test_mode) cout << "*** Running in test mode, all errors are ignored" << endl << endl; @@ -99,6 +100,9 @@ objdb->findInIndex(objdb->getIntId(firewall_id))); assert(fw); + // Copy rules from the cluster object + populateClusterElements(cluster, fw); + commonChecks2(cluster, fw); // Note that fwobjectname may be different from the name of the @@ -199,8 +203,7 @@ - OSConfigurator *oscnf = new OSConfigurator_ios( - objdb, current_firewall_name.toUtf8().constData(), false); + OSConfigurator *oscnf = new OSConfigurator_ios(objdb, fw, false); oscnf->prolog(); oscnf->processFirewallOptions(); @@ -254,8 +257,7 @@ } if (policy_count) { - Preprocessor* prep = new Preprocessor( - objdb, current_firewall_name.toUtf8().constData(), false); + Preprocessor* prep = new Preprocessor(objdb, fw, false); prep->compile(); } @@ -266,12 +268,10 @@ if (!policy->matchingAddressFamily(policy_af)) continue; - PolicyCompiler_iosacl c( - objdb, current_firewall_name.toUtf8().constData(), - ipv6_policy, oscnf); + PolicyCompiler_iosacl c(objdb, fw, ipv6_policy, oscnf); c.setSourceRuleSet( policy ); - + c.setSingleRuleCompileMode(single_rule_id); if (test_mode) c.setTestMode(); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); @@ -311,8 +311,9 @@ { // currently routing is supported only for ipv4 RoutingCompiler_iosacl r( - objdb, current_firewall_name.toUtf8().constData(), false, oscnf); + objdb, fw, false, oscnf); + r.setSingleRuleCompileMode(single_rule_id); if (test_mode) r.setTestMode(); r.setDebugLevel( dl ); if (rule_debug_on) r.setDebugRule( drp ); @@ -414,9 +415,8 @@ " for writing"); } - cout << " Compiled successfully" << endl << flush; - delete oscnf; + return ""; } Modified: branches/v3_1_secunet/src/iosacl/OSConfigurator_ios.h =================================================================== --- branches/v3_1_secunet/src/iosacl/OSConfigurator_ios.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/iosacl/OSConfigurator_ios.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -45,9 +45,9 @@ virtual ~OSConfigurator_ios() {}; OSConfigurator_ios(libfwbuilder::FWObjectDatabase *_db, - const std::string &fwname, + libfwbuilder::Firewall *fw, bool ipv6_policy) : - OSConfigurator(_db, fwname, ipv6_policy) {} + OSConfigurator(_db, fw, ipv6_policy) {} virtual int prolog(); Modified: branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.cpp =================================================================== --- branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -61,10 +61,10 @@ string PolicyCompiler_iosacl::myPlatformName() { return "iosacl"; } PolicyCompiler_iosacl::PolicyCompiler_iosacl(FWObjectDatabase *_db, - const std::string &fwname, + Firewall *fw, bool ipv6_policy, OSConfigurator *_oscnf) : - PolicyCompiler_cisco(_db, fwname, ipv6_policy, _oscnf) + PolicyCompiler_cisco(_db, fw, ipv6_policy, _oscnf) { resetinbound=false; fragguard=false; Modified: branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.h =================================================================== --- branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/iosacl/PolicyCompiler_iosacl.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -252,7 +252,7 @@ public: PolicyCompiler_iosacl(libfwbuilder::FWObjectDatabase *_db, - const std::string &fwname, + libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf); virtual ~PolicyCompiler_iosacl() {} Modified: branches/v3_1_secunet/src/iosacl/RoutingCompiler_iosacl.h =================================================================== --- branches/v3_1_secunet/src/iosacl/RoutingCompiler_iosacl.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/iosacl/RoutingCompiler_iosacl.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -73,9 +73,9 @@ public: RoutingCompiler_iosacl(libfwbuilder::FWObjectDatabase *_db, - const std::string &fwname, bool ipv6_policy, + libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf) : - RoutingCompiler_cisco(_db, fwname, ipv6_policy, _oscnf) {}; + RoutingCompiler_cisco(_db, fw, ipv6_policy, _oscnf) {}; virtual int prolog(); virtual void compile(); Modified: branches/v3_1_secunet/src/ipf/CompilerDriver_ipf.h =================================================================== --- branches/v3_1_secunet/src/ipf/CompilerDriver_ipf.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipf/CompilerDriver_ipf.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -60,11 +60,9 @@ // create a copy of itself, including objdb virtual CompilerDriver* clone(); - /* - * Kitchen sink method that copies steps previously implemented in main() - */ - virtual void run(const std::string &cluster_id, - const std::string &firewall_id); + virtual std::string run(const std::string &cluster_id, + const std::string &firewall_id, + const std::string &single_rule_id); }; Modified: branches/v3_1_secunet/src/ipf/CompilerDriver_ipf_run.cpp =================================================================== --- branches/v3_1_secunet/src/ipf/CompilerDriver_ipf_run.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipf/CompilerDriver_ipf_run.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -87,8 +87,9 @@ using namespace libfwbuilder; using namespace fwcompiler; -void CompilerDriver_ipf::run(const std::string &cluster_id, - const std::string &firewall_id) +string CompilerDriver_ipf::run(const std::string &cluster_id, + const std::string &firewall_id, + const std::string &single_rule_id) { Cluster *cluster = NULL; if (!cluster_id.empty()) @@ -99,6 +100,9 @@ objdb->findInIndex(objdb->getIntId(firewall_id))); assert(fw); + // Copy rules from the cluster object + populateClusterElements(cluster, fw); + commonChecks2(cluster, fw); FWOptions* options = fw->getOptionsObject(); @@ -133,7 +137,7 @@ QString shell_dbg = (debug)?"-x":"" ; QString ipf_dbg = (debug)?"-v":""; - Preprocessor* prep = new Preprocessor(objdb , current_firewall_name.toUtf8().constData(), false); + Preprocessor* prep = new Preprocessor(objdb , fw, false); prep->compile(); /* @@ -142,13 +146,13 @@ OSConfigurator *oscnf=NULL; string family=Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceStr("/FWBuilderResources/Target/family"); if ( family=="solaris" ) - oscnf=new OSConfigurator_solaris(objdb , current_firewall_name.toUtf8().constData(), false); + oscnf=new OSConfigurator_solaris(objdb , fw, false); if ( family=="openbsd") - oscnf=new OSConfigurator_openbsd(objdb , current_firewall_name.toUtf8().constData(), false); + oscnf=new OSConfigurator_openbsd(objdb , fw, false); if ( family=="freebsd") - oscnf=new OSConfigurator_freebsd(objdb , current_firewall_name.toUtf8().constData(), false); + oscnf=new OSConfigurator_freebsd(objdb , fw, false); if (oscnf==NULL) throw FWException("Unrecognized host OS " + @@ -159,8 +163,9 @@ /* * create compilers and run the whole thing */ - PolicyCompiler_ipf c( objdb , current_firewall_name.toUtf8().constData(), false , oscnf ); + PolicyCompiler_ipf c( objdb , fw, false , oscnf ); + c.setSingleRuleCompileMode(single_rule_id); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); c.setVerbose( verbose ); @@ -173,8 +178,9 @@ c.epilog(); } - NATCompiler_ipf n( objdb , current_firewall_name.toUtf8().constData(), false , oscnf ); + NATCompiler_ipf n( objdb , fw, false , oscnf ); + n.setSingleRuleCompileMode(single_rule_id); n.setDebugLevel( dl ); if (rule_debug_on) n.setDebugRule( drn ); n.setVerbose( verbose ); @@ -424,7 +430,7 @@ " for writing"); } - cout << " Compiled successfully" << endl << flush; + return ""; } Modified: branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw.h =================================================================== --- branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -55,11 +55,9 @@ // create a copy of itself, including objdb virtual CompilerDriver* clone(); - /* - * Kitchen sink method that copies steps previously implemented in main() - */ - virtual void run(const std::string &cluster_id, - const std::string &firewall_id); + virtual std::string run(const std::string &cluster_id, + const std::string &firewall_id, + const std::string &single_rule_id); }; Modified: branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw_run.cpp =================================================================== --- branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw_run.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipfw/CompilerDriver_ipfw_run.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -83,8 +83,9 @@ using namespace libfwbuilder; using namespace fwcompiler; -void CompilerDriver_ipfw::run(const std::string &cluster_id, - const std::string &firewall_id) +string CompilerDriver_ipfw::run(const std::string &cluster_id, + const std::string &firewall_id, + const std::string &single_rule_id) { Cluster *cluster = NULL; if (!cluster_id.empty()) @@ -95,6 +96,9 @@ objdb->findInIndex(objdb->getIntId(firewall_id))); assert(fw); + // Copy rules from the cluster object + populateClusterElements(cluster, fw); + commonChecks2(cluster, fw); FWOptions* options = fw->getOptionsObject(); @@ -119,10 +123,10 @@ OSConfigurator *oscnf=NULL; string family=Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceStr("/FWBuilderResources/Target/family"); if ( family=="macosx") - oscnf=new OSConfigurator_macosx(objdb , current_firewall_name.toUtf8().constData(), false); + oscnf=new OSConfigurator_macosx(objdb , fw, false); if ( family=="freebsd") - oscnf=new OSConfigurator_freebsd(objdb , current_firewall_name.toUtf8().constData(), false); + oscnf=new OSConfigurator_freebsd(objdb , fw, false); if (oscnf==NULL) throw FWException(_("Unrecognized host OS ")+fw->getStr("host_OS")+" (family "+family+")"); @@ -182,7 +186,7 @@ if (policy_count) { Preprocessor* prep = new Preprocessor( - objdb , current_firewall_name.toUtf8().constData(), ipv6_policy); + objdb , fw, ipv6_policy); if (test_mode) prep->setTestMode(); prep->compile(); } @@ -198,10 +202,11 @@ if (!policy->matchingAddressFamily(policy_af)) continue; - PolicyCompiler_ipfw c(objdb, current_firewall_name.toUtf8().constData(), ipv6_policy, oscnf); + PolicyCompiler_ipfw c(objdb, fw, ipv6_policy, oscnf); c.setIPFWNumber(ipfw_rule_number); c.setSourceRuleSet( policy ); c.setRuleSetName(branch_name); + c.setSingleRuleCompileMode(single_rule_id); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); c.setVerbose( (bool)(verbose) ); @@ -254,7 +259,7 @@ /* * create compilers and run the whole thing */ - PolicyCompiler_ipfw c( objdb , current_firewall_name.toUtf8().constData(), false , oscnf ); + PolicyCompiler_ipfw c( objdb , fw, false , oscnf ); c.setDebugLevel( dl ); if (rule_debug_on) c.setDebugRule( drp ); @@ -379,7 +384,7 @@ script << c.getCompiledScript(); } #else - PolicyCompiler_ipfw c(objdb, current_firewall_name.toUtf8().constData(), false, oscnf); + PolicyCompiler_ipfw c(objdb, fw, false, oscnf); script << c.defaultRules(); script << generated_script; #endif @@ -420,5 +425,6 @@ fw_file_name.toStdString() + " for writing"); } + return ""; } Modified: branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.cpp =================================================================== --- branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -35,6 +35,7 @@ #include <assert.h> #include <cstring> #include <iomanip> +#include <memory> #include "CompilerDriver_ipt.h" @@ -127,6 +128,10 @@ } } +/* + * TODO: use configlet to define structure of generated script. Need + * 2 configlets: for the shell script format and iptables-restore format + */ string CompilerDriver_ipt::dumpScript(Firewall *fw, const string& reset_script, const string& nat_script, @@ -140,7 +145,7 @@ if (fw->getOptionsObject()->getBool("use_iptables_restore")) { - if (!reset_script.empty() && !filter_script.empty()) + if (!filter_script.empty()) { script << "echo '*filter'\n"; script << reset_script; @@ -197,6 +202,7 @@ bool CompilerDriver_ipt::processPolicyRuleSet( Firewall *fw, FWObject *ruleset, + const string &single_rule_id, ostringstream &filter_table_stream, ostringstream &mangle_table_stream, ostringstream &automatic_rules_stream, @@ -229,19 +235,18 @@ bool ipv6_policy = (policy_af == AF_INET6); - MangleTableCompiler_ipt *mangle_compiler; + std::auto_ptr<MangleTableCompiler_ipt> mangle_compiler( + new MangleTableCompiler_ipt(objdb , fw, + ipv6_policy , oscnf, + &minus_n_commands_mangle )); - mangle_compiler = new MangleTableCompiler_ipt( - objdb , current_firewall_name.toUtf8().constData(), - ipv6_policy , oscnf, - &minus_n_commands_mangle ); - if (!policy->isTop()) mangle_compiler->registerRuleSetChain(branch_name); mangle_compiler->setSourceRuleSet( policy ); mangle_compiler->setRuleSetName(branch_name); + mangle_compiler->setSingleRuleCompileMode(single_rule_id); mangle_compiler->setDebugLevel( dl ); if (rule_debug_on) mangle_compiler->setDebugRule( drp ); mangle_compiler->setVerbose( (bool)(verbose) ); @@ -313,19 +318,19 @@ } } - PolicyCompiler_ipt *policy_compiler = NULL; + std::auto_ptr<PolicyCompiler_ipt> policy_compiler; if (fw->getStr("host_OS") == "secuwall") { - policy_compiler = new PolicyCompiler_secuwall( - objdb,current_firewall_name.toUtf8().constData(), ipv6_policy, oscnf, - &minus_n_commands_filter); + policy_compiler = std::auto_ptr<PolicyCompiler_ipt>( + new PolicyCompiler_secuwall(objdb,fw, ipv6_policy, oscnf, + &minus_n_commands_filter)); } else { - policy_compiler = new PolicyCompiler_ipt( - objdb,current_firewall_name.toUtf8().constData(), ipv6_policy, oscnf, - &minus_n_commands_filter); + policy_compiler = std::auto_ptr<PolicyCompiler_ipt>( + new PolicyCompiler_ipt(objdb,fw, ipv6_policy, oscnf, + &minus_n_commands_filter)); } - if (policy_compiler==NULL) + if (policy_compiler.get()==NULL) throw FWException("Unrecognized firewall platform " + fw->getStr("platform") + " (family " + platform_family+")"); @@ -336,6 +341,7 @@ policy_compiler->setSourceRuleSet( policy ); policy_compiler->setRuleSetName(branch_name); + policy_compiler->setSingleRuleCompileMode(single_rule_id); policy_compiler->setDebugLevel( dl ); if (rule_debug_on) policy_compiler->setDebugRule( drp ); policy_compiler->setVerbose( (bool)(verbose) ); Modified: branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.h =================================================================== --- branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipt/CompilerDriver_ipt.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -55,11 +55,9 @@ // create a copy of itself, including objdb virtual CompilerDriver* clone(); - /* - * Kitchen sink method that copies steps previously implemented in main() - */ - virtual void run(const std::string &cluster_id, - const std::string &firewall_id); + virtual std::string run(const std::string &cluster_id, + const std::string &firewall_id, + const std::string &single_rule_id); void assignRuleSetChain(libfwbuilder::RuleSet *ruleset); void findBranchesInMangleTable(libfwbuilder::Firewall*, @@ -75,6 +73,7 @@ bool processPolicyRuleSet( libfwbuilder::Firewall *fw, libfwbuilder::FWObject *ruleset, + const std::string &single_rule_id, std::ostringstream &filter_table_stream, std::ostringstream &mangle_table_stream, std::ostringstream &automatic_rules_stream, Modified: branches/v3_1_secunet/src/ipt/CompilerDriver_ipt_run.cpp =================================================================== --- branches/v3_1_secunet/src/ipt/CompilerDriver_ipt_run.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipt/CompilerDriver_ipt_run.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -48,6 +48,7 @@ #include <assert.h> #include <cstring> #include <iomanip> +#include <memory> #include "CompilerDriver_ipt.h" @@ -99,8 +100,9 @@ * operates with a copy of the object database which is not exposed * outside, so the caller can not provide pointers to these obejcts. */ -void CompilerDriver_ipt::run(const std::string &cluster_id, - const std::string &firewall_id) +string CompilerDriver_ipt::run(const std::string &cluster_id, + const std::string &firewall_id, + const std::string &single_rule_id) { Cluster *cluster = NULL; if (!cluster_id.empty()) @@ -111,6 +113,9 @@ objdb->findInIndex(objdb->getIntId(firewall_id))); assert(fw); + // Copy rules from the cluster object + populateClusterElements(cluster, fw); + commonChecks2(cluster, fw); string fw_version = fw->getStr("version"); @@ -140,7 +145,7 @@ bool debug=options->getBool("debug"); QString shell_dbg = (debug)?"set -x":"" ; - OSConfigurator_linux24 *oscnf = NULL; + std::auto_ptr<OSConfigurator_linux24> oscnf; string platform_family = Resources::platform_res[platform]-> getResourceStr("/FWBuilderResources/Target/family"); @@ -172,19 +177,19 @@ // in states ESTABLISHED,RELATED fw->getOptionsObject()->setBool("accept_established", false); - oscnf = new OSConfigurator_ipcop( - objdb , current_firewall_name.toUtf8().constData(), false); + oscnf = std::auto_ptr<OSConfigurator_linux24>( + new OSConfigurator_ipcop(objdb , fw, false)); } if (os_family == "linux24" || os_family == "sveasoft") - oscnf = new OSConfigurator_linux24( - objdb , current_firewall_name.toUtf8().constData(), false); + oscnf = std::auto_ptr<OSConfigurator_linux24>( + new OSConfigurator_linux24(objdb , fw, false)); if (os_family == "secuwall") - oscnf = new OSConfigurator_secuwall( - objdb , current_firewall_name.toUtf8().constData(), false); + oscnf = std::auto_ptr<OSConfigurator_linux24>( + new OSConfigurator_secuwall(objdb , fw, false)); - if (oscnf==NULL) + if (oscnf.get()==NULL) throw FWException("Unrecognized host OS " + fw->getStr("host_OS") + " (family " + os_family+")"); @@ -278,7 +283,7 @@ if (nat_count || policy_count) { Preprocessor* prep = new Preprocessor( - objdb , current_firewall_name.toUtf8().constData(), ipv6_policy); + objdb , fw, ipv6_policy); if (test_mode) prep->setTestMode(); prep->compile(); delete prep; @@ -304,15 +309,14 @@ // compile NAT rules before policy rules because policy // compiler needs to know the number of virtual addresses // being created for NAT - NATCompiler_ipt *nat_compiler; + std::auto_ptr<NATCompiler_ipt> nat_compiler( + new NATCompiler_ipt(objdb, fw, ipv6_policy, + oscnf.get(), &minus_n_commands_nat)); - nat_compiler = new NATCompiler_ipt( - objdb, current_firewall_name.toUtf8().constData(), ipv6_policy, - oscnf, &minus_n_commands_nat); - nat_compiler->setSourceRuleSet( nat ); nat_compiler->setRuleSetName(branch_name); + nat_compiler->setSingleRuleCompileMode(single_rule_id); nat_compiler->setDebugLevel( dl ); if (rule_debug_on) nat_compiler->setDebugRule( drn ); nat_compiler->setVerbose( (bool)(verbose) ); @@ -363,16 +367,17 @@ if (! processPolicyRuleSet( fw, policy, + single_rule_id, filter_rules_stream, mangle_rules_stream, automaitc_rules_stream, - oscnf, + oscnf.get(), policy_af, minus_n_commands_filter, minus_n_commands_mangle)) empty_output = false; } - if (!empty_output) + if (!empty_output && !single_rule_compile_on) { if (ipv6_policy) { @@ -396,11 +401,10 @@ ipv6_policy); } - RoutingCompiler_ipt *routing_compiler; + std::auto_ptr<RoutingCompiler_ipt> routing_compiler( + new RoutingCompiler_ipt(objdb, fw, false, oscnf.get())); - routing_compiler = new RoutingCompiler_ipt( - objdb , current_firewall_name.toUtf8().constData() , false, oscnf ); - + routing_compiler->setSingleRuleCompileMode(single_rule_id); routing_compiler->setDebugLevel( dl ); if (rule_debug_on) routing_compiler->setDebugRule(drp); routing_compiler->setVerbose( verbose ); @@ -412,6 +416,13 @@ routing_compiler->epilog(); } + if (single_rule_compile_on) + { + // in single rule compile mode just return the result + return generated_script + routing_compiler->getCompiledScript(); + } + + /* * These store generated configuration internally, extract it later using * OSConfiguration::getGeneratedFiles(); @@ -653,10 +664,8 @@ fw_file_name.toStdString() + " for writing"); } - - /* Cleanup ressources */ - delete oscnf; - + + return ""; } Modified: branches/v3_1_secunet/src/ipt/MangleTableCompiler_ipt.h =================================================================== --- branches/v3_1_secunet/src/ipt/MangleTableCompiler_ipt.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipt/MangleTableCompiler_ipt.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -46,12 +46,12 @@ public: MangleTableCompiler_ipt(libfwbuilder::FWObjectDatabase *_db, - const std::string &fwname, + libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, std::map<const std::string, bool> *m_n_cmd_map ) : - PolicyCompiler_ipt(_db, fwname, ipv6_policy, _oscnf, m_n_cmd_map) + PolicyCompiler_ipt(_db, fw, ipv6_policy, _oscnf, m_n_cmd_map) { my_table = "mangle"; } Modified: branches/v3_1_secunet/src/ipt/NATCompiler_PrintRule.cpp =================================================================== --- branches/v3_1_secunet/src/ipt/NATCompiler_PrintRule.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipt/NATCompiler_PrintRule.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -153,8 +153,11 @@ { ostringstream res; - bool nocomm=Resources::os_res[compiler->fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_comments"); + bool nocomm = + Resources::os_res[compiler->fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_comments"); + if (compiler->inSingleRuleCompileMode()) return ""; + string rl=rule->getLabel(); if (rl!=current_rule_label) { Modified: branches/v3_1_secunet/src/ipt/NATCompiler_ipt.cpp =================================================================== --- branches/v3_1_secunet/src/ipt/NATCompiler_ipt.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipt/NATCompiler_ipt.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -2203,6 +2203,8 @@ add( new printTotalNumberOfRules()); + add( new singleRuleFilter()); + add( new recursiveGroupsInOSrc("check for recursive groups in OSRC")); add( new recursiveGroupsInODst("check for recursive groups in ODST")); add( new recursiveGroupsInOSrv("check for recursive groups in OSRV")); Modified: branches/v3_1_secunet/src/ipt/NATCompiler_ipt.h =================================================================== --- branches/v3_1_secunet/src/ipt/NATCompiler_ipt.h 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipt/NATCompiler_ipt.h 2009-08-27 05:03:34 UTC (rev 1353) @@ -574,11 +574,11 @@ public: NATCompiler_ipt(libfwbuilder::FWObjectDatabase *_db, - const std::string &fwname, + libfwbuilder::Firewall *fw, bool ipv6_policy, fwcompiler::OSConfigurator *_oscnf, std::map<const std::string, bool> *m_n_commands_map) : - NATCompiler(_db, fwname, ipv6_policy, _oscnf) + NATCompiler(_db, fw, ipv6_policy, _oscnf) { have_dynamic_interfaces=false; printRule=NULL; Modified: branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.cpp =================================================================== --- branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.cpp 2009-08-26 21:31:39 UTC (rev 1352) +++ branches/v3_1_secunet/src/ipt/OSConfigurator_ipcop.cpp 2009-08-27 05:03:34 UTC (rev 1353) @@ -36,9 +36,9 @@ string OSConfigurator_ipcop::myPlatformName() { return "ipcop"; } OSConfigurator_ipcop:... [truncated message content] |