[Iscs-developers] ISCS/devel-docs/Database models,1.1,1.2 models.sql,1.1,1.2 PEPTableDef,1.7,1.8 Pro
Status: Beta
Brought to you by:
jsulliva
Menu
▾
▴
[Iscs-developers] ISCS/devel-docs/Database models,1.1,1.2 models.sql,1.1,1.2 PEPTableDef,1.7,1.8 Protected_NetworkTableDef,1.4,1.5 resource_groupsTableDef,1.3,1.4 resources_ipTableDef,1.2,1.3 serversTableDef,1.4,1.5 servicesTableDef,1.5,1.6 spmskeleton.sql,1.14,1.15
|
From: <jsu...@us...> - 2003-12-25 05:23:53
|
Update of /cvsroot/iscs/ISCS/devel-docs/Database
In directory sc8-pr-cvs1:/tmp/cvs-serv18726/devel-docs/Database
Modified Files:
models models.sql PEPTableDef Protected_NetworkTableDef
resource_groupsTableDef resources_ipTableDef serversTableDef
servicesTableDef spmskeleton.sql
Log Message:
Altered database schema for network nat
Implemented more model functionality including making all iptables able to distinguish between those with the iprange patch and those without
Index: models
===================================================================
RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/models,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** models 7 Dec 2003 06:32:32 -0000 1.1
--- models 25 Dec 2003 05:23:50 -0000 1.2
***************
*** 12,16 ****
`fw` varchar(255) NOT NULL default '',
`vpn` varchar(255) NOT NULL default '',
! `route` varchar(255) NOT NULL default '',
`dhcp` varchar(255) NOT NULL default '',
`dhcp_relay` varchar(255) NOT NULL default '',
--- 12,16 ----
`fw` varchar(255) NOT NULL default '',
`vpn` varchar(255) NOT NULL default '',
! `router` varchar(255) NOT NULL default '',
`dhcp` varchar(255) NOT NULL default '',
`dhcp_relay` varchar(255) NOT NULL default '',
Index: models.sql
===================================================================
RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/models.sql,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** models.sql 13 Dec 2003 08:48:55 -0000 1.1
--- models.sql 25 Dec 2003 05:23:50 -0000 1.2
***************
*** 1,2 ****
! INSERT INTO models VALUES ('Generic','iptables','fsw','iproute2','isc','strongsec');
--- 1,2 ----
! INSERT INTO models VALUES ('Generic','iptables+iprange','fsw','iproute2','isc','strongsec');
Index: PEPTableDef
===================================================================
RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/PEPTableDef,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -d -r1.7 -r1.8
*** PEPTableDef 19 Dec 2003 05:13:40 -0000 1.7
--- PEPTableDef 25 Dec 2003 05:23:50 -0000 1.8
***************
*** 22,25 ****
--- 22,26 ----
`dhcp_server_ip` varchar(15) default NULL,
`current` tinyint(1) NOT NULL default '0',
+ `managed` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`pep`)
) TYPE=InnoDB
***************
*** 54,57 ****
--- 55,60 ----
current - boolean value that flags whether the PEP has the current database
+
+ managed - boolean value that flags whether the PEP is managed by the SPM or part of a foreign VPN
Index: Protected_NetworkTableDef
===================================================================
RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/Protected_NetworkTableDef,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** Protected_NetworkTableDef 15 Nov 2003 19:54:23 -0000 1.4
--- Protected_NetworkTableDef 25 Dec 2003 05:23:50 -0000 1.5
***************
*** 21,24 ****
--- 21,27 ----
`pep` varchar(25) NOT NULL default '',
`antispoof` tinyint(1) NOT NULL default '0',
+ `nat_internal_remote` tinyint(1) NOT NULL default '0',
+ `nat_internal_local` tinyint(1) NOT NULL default '0',
+ `natnetwork` varchar(15) NOT NULL default '',
PRIMARY KEY (`network`,`netmask`),
KEY `pepip` (`pep_ip_addr`)
***************
*** 52,55 ****
--- 55,65 ----
antispoof - Boolean - provide anti-spoofing protection on this interface
+
+ nat_internal_remote - Boolean flag to indicate whether or not we need to NAT this entire network to a different network (e.g., in the case of conflicting IP addresses) for all non-local networks, i.e., existing on the other side of a different PEP
+
+ nat_internal_local - Boolean flag to indicate whether or not we need to NAT this entire network to a different network (e.g., in the case of conflicting IP addresses) for all local networks
+
+ natnetwork - the IP address of the network to which the real network should be natted
+
JOINS
Index: resource_groupsTableDef
===================================================================
RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/resource_groupsTableDef,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** resource_groupsTableDef 10 Dec 2003 05:43:18 -0000 1.3
--- resource_groupsTableDef 25 Dec 2003 05:23:50 -0000 1.4
***************
*** 10,19 ****
CREATE TABLE `resource_groups` (
`resourcegroup` varchar(255) NOT NULL default '',
! `parent` varchar(255) default NULL,
! `server` varchar(120) default NULL,
! `service` varchar(120) default NULL,
! `comment` varchar(250) default NULL,
! `chainname` bigint(20) default NULL,
! UNIQUE KEY `resourcegroup` (`resourcegroup`,`server`,`service`)
) TYPE=InnoDB
--- 10,20 ----
CREATE TABLE `resource_groups` (
`resourcegroup` varchar(255) NOT NULL default '',
! `parent` varchar(255) NOT NULL default '',
! `server` varchar(235) NOT NULL default '',
! `service` varchar(230) NOT NULL default '',
! `comment` varchar(255) NOT NULL default '',
! `chainname` bigint(20) NOT NULL default '0',
! `tablename` varchar(25) NOT NULL default '',
! PRIMARY KEY (`server`,`service`,`chainname`,`tablename`)
) TYPE=InnoDB
***************
*** 27,30 ****
--- 28,33 ----
chainname - iptables (and perhaps other firewalls) have a very short maximum chain name length -- too short to support long hierarchical names. Thus we map the hierarchical names to a numeric sequence and use the sequence as the actual chainname
+
+ tablename - resource groups should be easily extendable to use X.509 identified resources. This fields tells us in which table to look for the identifier, e.g., resources_ip or resources_x509
Index: resources_ipTableDef
===================================================================
RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/resources_ipTableDef,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** resources_ipTableDef 15 Nov 2003 19:54:23 -0000 1.2
--- resources_ipTableDef 25 Dec 2003 05:23:50 -0000 1.3
***************
*** 8,38 ****
Table definition for resources_ip
! CREATE TABLE `resources_ip` (
! `server` varchar(120) NOT NULL default '',
! `service` varchar(120) NOT NULL default '',
! `range` varchar(31) NOT NULL default '',
! `natrange` varchar(31) NOT NULL default '',
! `actualrange` text NOT NULL,
! `natactualrange` text NOT NULL,
! `lowbinary` bigint(20) default NULL,
! `highbinary` bigint(20) default NULL,
! PRIMARY KEY (`server`,`service`,`range`)
) TYPE=InnoDB
! server - the name of the server. Syntax is <PEP Name>/<Server Short Name>. Joins to the server column in the resources and resource_groups tables.
!
! service - the name of the service - can be '' which implies that this is the ip address of the server and not of a specific service on the server
!
! range - the private ip range given by the user
! natrange - the public ip range to which the range is natted
! actualrange - the combination of ranges into which the range is subdivided if this range contains a subrange with best match enabled
! natactualrange - the public ip ranges to which the actualrange is natted
! lowbinary - the integer value of the low ip range address
! highbinary - the integer value of the high ip range address
--- 8,32 ----
Table definition for resources_ip
! resources_ip | CREATE TABLE `resources_ip` (
! `server` varchar(235) NOT NULL default '',
! `service` varchar(230) NOT NULL default '',
! `ippairs` text NOT NULL,
! `actualippairs` text NOT NULL,
! `publicport` varchar(255) NOT NULL default '',
! `publicttl` int(11) NOT NULL default '0',
! KEY `server` (`server`,`service`)
) TYPE=InnoDB
! server - the fqdn of the server.
! service - the name of the service
! ippairs - the pairs of public and private addresses. The syntax is "private1:public1;private2:public2;private3:public3 . . ."
! actualippairsif the server contains a Best Match, each individual pair of the ippairs must be further subdivided to exclude the best match. The syntax is "subprivate1:subpublic1,subprivate1:subpublic1;subprivate2:subpublic2;subprivate3:subpublic3,subprivate3:subpublic3 . . ."
! publicport - contains the port to use when sending on a PEP public interface
! publicttl - contains the value to which the TTL should be set when sending on a PEP public interface
Index: serversTableDef
===================================================================
RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/serversTableDef,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** serversTableDef 21 Oct 2003 03:49:56 -0000 1.4
--- serversTableDef 25 Dec 2003 05:23:50 -0000 1.5
***************
*** 9,25 ****
CREATE TABLE `servers` (
! `server` varchar(120) NOT NULL default '',
! `fqdn` varchar(255) default NULL,
! `actualippairs` text,
! `bestmatch` tinyint(1) default '1',
! `containsbestmatch` tinyint(1) default NULL,
! `comment` varchar(255) default NULL,
! PRIMARY KEY (`server`)
) TYPE=InnoDB
! server - the name of the server. Syntax is <PEP Name>/<Server Short Name>. Joins to the server column in the resources and resource_groups tables.
fqdn - Fully Qualified Domain Name of the server (DNS name)
actualippairs - if the server contains a Best Match, each individual pair of the ippairs must be further subdivided to exclude the best match. The syntax is "subprivate1:subpublic1,subprivate1:subpublic1;subprivate2:subpublic2;subprivate3:subpublic3,subprivate3:subpublic3 . . ." This field is derived programatically from resources_ip
--- 9,29 ----
CREATE TABLE `servers` (
! `pep` varchar(255) NOT NULL default '',
! `fqdn` varchar(235) NOT NULL default '',
! `bestmatch` tinyint(1) NOT NULL default '1',
! `containsbestmatch` tinyint(1) NOT NULL default '0',
! `comment` varchar(255) NOT NULL default '',
! `ippairs` text NOT NULL,
! `publicttl` int(11) NOT NULL default '0',
! `actualippairs` text NOT NULL,
! PRIMARY KEY (`fqdn`)
) TYPE=InnoDB
! pep - the name of the protecting PEP
fqdn - Fully Qualified Domain Name of the server (DNS name)
+ ippairs - contains the private:public ip pairs before altering them for contained best matches
+
actualippairs - if the server contains a Best Match, each individual pair of the ippairs must be further subdivided to exclude the best match. The syntax is "subprivate1:subpublic1,subprivate1:subpublic1;subprivate2:subpublic2;subprivate3:subpublic3,subprivate3:subpublic3 . . ." This field is derived programatically from resources_ip
***************
*** 27,30 ****
--- 31,36 ----
containsbestmatch - boolean column to show if the server's ip address range contains a server which is using best match.
+
+ publicttl - the value to which the TTL should be set when packets from this server leave a PEP public interface
Index: servicesTableDef
===================================================================
RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/servicesTableDef,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** servicesTableDef 21 Dec 2003 10:33:34 -0000 1.5
--- servicesTableDef 25 Dec 2003 05:23:50 -0000 1.6
***************
*** 9,13 ****
CREATE TABLE `services` (
! `name` varchar(120) NOT NULL default '',
`protocol` int(11) NOT NULL default '0',
`protocolname` varchar(40) default NULL,
--- 9,13 ----
CREATE TABLE `services` (
! `name` varchar(230) NOT NULL default '',
`protocol` int(11) NOT NULL default '0',
`protocolname` varchar(40) default NULL,
***************
*** 18,22 ****
) TYPE=InnoDB
! service - the name of the service. Joins to the service column in the resources and resource_groups tables.
protocol - the ip protocol numeric value, e.g., 6 for tcp, 17 for udp, 1 for icmp, 50 for ESP
--- 18,22 ----
) TYPE=InnoDB
! name - the name of the service. Joins to the service column in the resources and resource_groups tables.
protocol - the ip protocol numeric value, e.g., 6 for tcp, 17 for udp, 1 for icmp, 50 for ESP
Index: spmskeleton.sql
===================================================================
RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/spmskeleton.sql,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -d -r1.14 -r1.15
*** spmskeleton.sql 21 Dec 2003 10:33:34 -0000 1.14
--- spmskeleton.sql 25 Dec 2003 05:23:50 -0000 1.15
***************
*** 130,134 ****
fw varchar(255) NOT NULL default '',
vpn varchar(255) NOT NULL default '',
! route varchar(255) NOT NULL default '',
dhcp varchar(255) NOT NULL default '',
dhcp_relay varchar(255) NOT NULL default '',
--- 130,134 ----
fw varchar(255) NOT NULL default '',
vpn varchar(255) NOT NULL default '',
! router varchar(255) NOT NULL default '',
dhcp varchar(255) NOT NULL default '',
dhcp_relay varchar(255) NOT NULL default '',
***************
*** 171,174 ****
--- 171,175 ----
dhcp_server_ip varchar(15) default NULL,
current tinyint(1) NOT NULL default '0',
+ managed tinyint(1) NOT NULL default '1',
PRIMARY KEY (pep)
) TYPE=InnoDB;
***************
*** 191,194 ****
--- 192,198 ----
pep varchar(25) NOT NULL default '',
antispoof tinyint(1) NOT NULL default '0',
+ nat_internal_remote tinyint(1) NOT NULL default '0',
+ nat_internal_local tinyint(1) NOT NULL default '0',
+ natnetwork varchar(15) NOT NULL default '',
PRIMARY KEY (network,netmask),
KEY pepip (pep_ip_addr)
***************
*** 201,210 ****
CREATE TABLE resource_groups (
resourcegroup varchar(255) NOT NULL default '',
! parent varchar(255) default NULL,
! server varchar(120) default NULL,
! service varchar(120) default NULL,
! comment varchar(250) default NULL,
! chainname bigint(20) default NULL,
! UNIQUE KEY resourcegroup (resourcegroup,server,service)
) TYPE=InnoDB;
--- 205,215 ----
CREATE TABLE resource_groups (
resourcegroup varchar(255) NOT NULL default '',
! parent varchar(255) NOT NULL default '',
! server varchar(235) NOT NULL default '',
! service varchar(230) NOT NULL default '',
! comment varchar(255) NOT NULL default '',
! chainname bigint(20) NOT NULL default '0',
! tablename varchar(25) NOT NULL default '',
! PRIMARY KEY (server,service,chainname,tablename)
) TYPE=InnoDB;
***************
*** 226,238 ****
CREATE TABLE resources_ip (
! server varchar(120) NOT NULL default '',
! service varchar(120) NOT NULL default '',
! range varchar(31) NOT NULL default '',
! natrange varchar(31) NOT NULL default '',
! actualrange text NOT NULL,
! natactualrange text NOT NULL,
! lowbinary bigint(20) default NULL,
! highbinary bigint(20) default NULL,
! PRIMARY KEY (server,service,range)
) TYPE=InnoDB;
--- 231,241 ----
CREATE TABLE resources_ip (
! server varchar(235) NOT NULL default '',
! service varchar(230) NOT NULL default '',
! ippairs text NOT NULL,
! actualippairs text NOT NULL,
! publicport varchar(255) NOT NULL default '',
! publicttl int(11) NOT NULL default '0',
! KEY server (server,service)
) TYPE=InnoDB;
***************
*** 254,264 ****
CREATE TABLE servers (
! server varchar(120) NOT NULL default '',
! fqdn varchar(255) default NULL,
! actualippairs text,
! bestmatch tinyint(1) default '1',
! containsbestmatch tinyint(1) default NULL,
! comment varchar(255) default NULL,
! PRIMARY KEY (server)
) TYPE=InnoDB;
--- 257,269 ----
CREATE TABLE servers (
! pep varchar(255) NOT NULL default '',
! fqdn varchar(235) NOT NULL default '',
! bestmatch tinyint(1) NOT NULL default '1',
! containsbestmatch tinyint(1) NOT NULL default '0',
! comment varchar(255) NOT NULL default '',
! ippairs text NOT NULL,
! publicttl int(11) NOT NULL default '0',
! actualippairs text NOT NULL,
! PRIMARY KEY (fqdn)
) TYPE=InnoDB;
***************
*** 268,272 ****
CREATE TABLE services (
! name varchar(120) NOT NULL default '',
protocol int(11) NOT NULL default '0',
protocolname varchar(40) default NULL,
--- 273,277 ----
CREATE TABLE services (
! name varchar(230) NOT NULL default '',
protocol int(11) NOT NULL default '0',
protocolname varchar(40) default NULL,
|