[Iscs-developers] ISCS/devel-docs/Database models,1.1,1.2 models.sql,1.1,1.2 PEPTableDef,1.7,1.8 Pro
Status: Beta
Brought to you by:
jsulliva
From: <jsu...@us...> - 2003-12-25 05:23:53
|
Update of /cvsroot/iscs/ISCS/devel-docs/Database In directory sc8-pr-cvs1:/tmp/cvs-serv18726/devel-docs/Database Modified Files: models models.sql PEPTableDef Protected_NetworkTableDef resource_groupsTableDef resources_ipTableDef serversTableDef servicesTableDef spmskeleton.sql Log Message: Altered database schema for network nat Implemented more model functionality including making all iptables able to distinguish between those with the iprange patch and those without Index: models =================================================================== RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/models,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** models 7 Dec 2003 06:32:32 -0000 1.1 --- models 25 Dec 2003 05:23:50 -0000 1.2 *************** *** 12,16 **** `fw` varchar(255) NOT NULL default '', `vpn` varchar(255) NOT NULL default '', ! `route` varchar(255) NOT NULL default '', `dhcp` varchar(255) NOT NULL default '', `dhcp_relay` varchar(255) NOT NULL default '', --- 12,16 ---- `fw` varchar(255) NOT NULL default '', `vpn` varchar(255) NOT NULL default '', ! `router` varchar(255) NOT NULL default '', `dhcp` varchar(255) NOT NULL default '', `dhcp_relay` varchar(255) NOT NULL default '', Index: models.sql =================================================================== RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/models.sql,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** models.sql 13 Dec 2003 08:48:55 -0000 1.1 --- models.sql 25 Dec 2003 05:23:50 -0000 1.2 *************** *** 1,2 **** ! INSERT INTO models VALUES ('Generic','iptables','fsw','iproute2','isc','strongsec'); --- 1,2 ---- ! INSERT INTO models VALUES ('Generic','iptables+iprange','fsw','iproute2','isc','strongsec'); Index: PEPTableDef =================================================================== RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/PEPTableDef,v retrieving revision 1.7 retrieving revision 1.8 diff -C2 -d -r1.7 -r1.8 *** PEPTableDef 19 Dec 2003 05:13:40 -0000 1.7 --- PEPTableDef 25 Dec 2003 05:23:50 -0000 1.8 *************** *** 22,25 **** --- 22,26 ---- `dhcp_server_ip` varchar(15) default NULL, `current` tinyint(1) NOT NULL default '0', + `managed` tinyint(1) NOT NULL default '1', PRIMARY KEY (`pep`) ) TYPE=InnoDB *************** *** 54,57 **** --- 55,60 ---- current - boolean value that flags whether the PEP has the current database + + managed - boolean value that flags whether the PEP is managed by the SPM or part of a foreign VPN Index: Protected_NetworkTableDef =================================================================== RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/Protected_NetworkTableDef,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** Protected_NetworkTableDef 15 Nov 2003 19:54:23 -0000 1.4 --- Protected_NetworkTableDef 25 Dec 2003 05:23:50 -0000 1.5 *************** *** 21,24 **** --- 21,27 ---- `pep` varchar(25) NOT NULL default '', `antispoof` tinyint(1) NOT NULL default '0', + `nat_internal_remote` tinyint(1) NOT NULL default '0', + `nat_internal_local` tinyint(1) NOT NULL default '0', + `natnetwork` varchar(15) NOT NULL default '', PRIMARY KEY (`network`,`netmask`), KEY `pepip` (`pep_ip_addr`) *************** *** 52,55 **** --- 55,65 ---- antispoof - Boolean - provide anti-spoofing protection on this interface + + nat_internal_remote - Boolean flag to indicate whether or not we need to NAT this entire network to a different network (e.g., in the case of conflicting IP addresses) for all non-local networks, i.e., existing on the other side of a different PEP + + nat_internal_local - Boolean flag to indicate whether or not we need to NAT this entire network to a different network (e.g., in the case of conflicting IP addresses) for all local networks + + natnetwork - the IP address of the network to which the real network should be natted + JOINS Index: resource_groupsTableDef =================================================================== RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/resource_groupsTableDef,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** resource_groupsTableDef 10 Dec 2003 05:43:18 -0000 1.3 --- resource_groupsTableDef 25 Dec 2003 05:23:50 -0000 1.4 *************** *** 10,19 **** CREATE TABLE `resource_groups` ( `resourcegroup` varchar(255) NOT NULL default '', ! `parent` varchar(255) default NULL, ! `server` varchar(120) default NULL, ! `service` varchar(120) default NULL, ! `comment` varchar(250) default NULL, ! `chainname` bigint(20) default NULL, ! UNIQUE KEY `resourcegroup` (`resourcegroup`,`server`,`service`) ) TYPE=InnoDB --- 10,20 ---- CREATE TABLE `resource_groups` ( `resourcegroup` varchar(255) NOT NULL default '', ! `parent` varchar(255) NOT NULL default '', ! `server` varchar(235) NOT NULL default '', ! `service` varchar(230) NOT NULL default '', ! `comment` varchar(255) NOT NULL default '', ! `chainname` bigint(20) NOT NULL default '0', ! `tablename` varchar(25) NOT NULL default '', ! PRIMARY KEY (`server`,`service`,`chainname`,`tablename`) ) TYPE=InnoDB *************** *** 27,30 **** --- 28,33 ---- chainname - iptables (and perhaps other firewalls) have a very short maximum chain name length -- too short to support long hierarchical names. Thus we map the hierarchical names to a numeric sequence and use the sequence as the actual chainname + + tablename - resource groups should be easily extendable to use X.509 identified resources. This fields tells us in which table to look for the identifier, e.g., resources_ip or resources_x509 Index: resources_ipTableDef =================================================================== RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/resources_ipTableDef,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** resources_ipTableDef 15 Nov 2003 19:54:23 -0000 1.2 --- resources_ipTableDef 25 Dec 2003 05:23:50 -0000 1.3 *************** *** 8,38 **** Table definition for resources_ip ! CREATE TABLE `resources_ip` ( ! `server` varchar(120) NOT NULL default '', ! `service` varchar(120) NOT NULL default '', ! `range` varchar(31) NOT NULL default '', ! `natrange` varchar(31) NOT NULL default '', ! `actualrange` text NOT NULL, ! `natactualrange` text NOT NULL, ! `lowbinary` bigint(20) default NULL, ! `highbinary` bigint(20) default NULL, ! PRIMARY KEY (`server`,`service`,`range`) ) TYPE=InnoDB ! server - the name of the server. Syntax is <PEP Name>/<Server Short Name>. Joins to the server column in the resources and resource_groups tables. ! ! service - the name of the service - can be '' which implies that this is the ip address of the server and not of a specific service on the server ! ! range - the private ip range given by the user ! natrange - the public ip range to which the range is natted ! actualrange - the combination of ranges into which the range is subdivided if this range contains a subrange with best match enabled ! natactualrange - the public ip ranges to which the actualrange is natted ! lowbinary - the integer value of the low ip range address ! highbinary - the integer value of the high ip range address --- 8,32 ---- Table definition for resources_ip ! resources_ip | CREATE TABLE `resources_ip` ( ! `server` varchar(235) NOT NULL default '', ! `service` varchar(230) NOT NULL default '', ! `ippairs` text NOT NULL, ! `actualippairs` text NOT NULL, ! `publicport` varchar(255) NOT NULL default '', ! `publicttl` int(11) NOT NULL default '0', ! KEY `server` (`server`,`service`) ) TYPE=InnoDB ! server - the fqdn of the server. ! service - the name of the service ! ippairs - the pairs of public and private addresses. The syntax is "private1:public1;private2:public2;private3:public3 . . ." ! actualippairsif the server contains a Best Match, each individual pair of the ippairs must be further subdivided to exclude the best match. The syntax is "subprivate1:subpublic1,subprivate1:subpublic1;subprivate2:subpublic2;subprivate3:subpublic3,subprivate3:subpublic3 . . ." ! publicport - contains the port to use when sending on a PEP public interface ! publicttl - contains the value to which the TTL should be set when sending on a PEP public interface Index: serversTableDef =================================================================== RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/serversTableDef,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** serversTableDef 21 Oct 2003 03:49:56 -0000 1.4 --- serversTableDef 25 Dec 2003 05:23:50 -0000 1.5 *************** *** 9,25 **** CREATE TABLE `servers` ( ! `server` varchar(120) NOT NULL default '', ! `fqdn` varchar(255) default NULL, ! `actualippairs` text, ! `bestmatch` tinyint(1) default '1', ! `containsbestmatch` tinyint(1) default NULL, ! `comment` varchar(255) default NULL, ! PRIMARY KEY (`server`) ) TYPE=InnoDB ! server - the name of the server. Syntax is <PEP Name>/<Server Short Name>. Joins to the server column in the resources and resource_groups tables. fqdn - Fully Qualified Domain Name of the server (DNS name) actualippairs - if the server contains a Best Match, each individual pair of the ippairs must be further subdivided to exclude the best match. The syntax is "subprivate1:subpublic1,subprivate1:subpublic1;subprivate2:subpublic2;subprivate3:subpublic3,subprivate3:subpublic3 . . ." This field is derived programatically from resources_ip --- 9,29 ---- CREATE TABLE `servers` ( ! `pep` varchar(255) NOT NULL default '', ! `fqdn` varchar(235) NOT NULL default '', ! `bestmatch` tinyint(1) NOT NULL default '1', ! `containsbestmatch` tinyint(1) NOT NULL default '0', ! `comment` varchar(255) NOT NULL default '', ! `ippairs` text NOT NULL, ! `publicttl` int(11) NOT NULL default '0', ! `actualippairs` text NOT NULL, ! PRIMARY KEY (`fqdn`) ) TYPE=InnoDB ! pep - the name of the protecting PEP fqdn - Fully Qualified Domain Name of the server (DNS name) + ippairs - contains the private:public ip pairs before altering them for contained best matches + actualippairs - if the server contains a Best Match, each individual pair of the ippairs must be further subdivided to exclude the best match. The syntax is "subprivate1:subpublic1,subprivate1:subpublic1;subprivate2:subpublic2;subprivate3:subpublic3,subprivate3:subpublic3 . . ." This field is derived programatically from resources_ip *************** *** 27,30 **** --- 31,36 ---- containsbestmatch - boolean column to show if the server's ip address range contains a server which is using best match. + + publicttl - the value to which the TTL should be set when packets from this server leave a PEP public interface Index: servicesTableDef =================================================================== RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/servicesTableDef,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** servicesTableDef 21 Dec 2003 10:33:34 -0000 1.5 --- servicesTableDef 25 Dec 2003 05:23:50 -0000 1.6 *************** *** 9,13 **** CREATE TABLE `services` ( ! `name` varchar(120) NOT NULL default '', `protocol` int(11) NOT NULL default '0', `protocolname` varchar(40) default NULL, --- 9,13 ---- CREATE TABLE `services` ( ! `name` varchar(230) NOT NULL default '', `protocol` int(11) NOT NULL default '0', `protocolname` varchar(40) default NULL, *************** *** 18,22 **** ) TYPE=InnoDB ! service - the name of the service. Joins to the service column in the resources and resource_groups tables. protocol - the ip protocol numeric value, e.g., 6 for tcp, 17 for udp, 1 for icmp, 50 for ESP --- 18,22 ---- ) TYPE=InnoDB ! name - the name of the service. Joins to the service column in the resources and resource_groups tables. protocol - the ip protocol numeric value, e.g., 6 for tcp, 17 for udp, 1 for icmp, 50 for ESP Index: spmskeleton.sql =================================================================== RCS file: /cvsroot/iscs/ISCS/devel-docs/Database/spmskeleton.sql,v retrieving revision 1.14 retrieving revision 1.15 diff -C2 -d -r1.14 -r1.15 *** spmskeleton.sql 21 Dec 2003 10:33:34 -0000 1.14 --- spmskeleton.sql 25 Dec 2003 05:23:50 -0000 1.15 *************** *** 130,134 **** fw varchar(255) NOT NULL default '', vpn varchar(255) NOT NULL default '', ! route varchar(255) NOT NULL default '', dhcp varchar(255) NOT NULL default '', dhcp_relay varchar(255) NOT NULL default '', --- 130,134 ---- fw varchar(255) NOT NULL default '', vpn varchar(255) NOT NULL default '', ! router varchar(255) NOT NULL default '', dhcp varchar(255) NOT NULL default '', dhcp_relay varchar(255) NOT NULL default '', *************** *** 171,174 **** --- 171,175 ---- dhcp_server_ip varchar(15) default NULL, current tinyint(1) NOT NULL default '0', + managed tinyint(1) NOT NULL default '1', PRIMARY KEY (pep) ) TYPE=InnoDB; *************** *** 191,194 **** --- 192,198 ---- pep varchar(25) NOT NULL default '', antispoof tinyint(1) NOT NULL default '0', + nat_internal_remote tinyint(1) NOT NULL default '0', + nat_internal_local tinyint(1) NOT NULL default '0', + natnetwork varchar(15) NOT NULL default '', PRIMARY KEY (network,netmask), KEY pepip (pep_ip_addr) *************** *** 201,210 **** CREATE TABLE resource_groups ( resourcegroup varchar(255) NOT NULL default '', ! parent varchar(255) default NULL, ! server varchar(120) default NULL, ! service varchar(120) default NULL, ! comment varchar(250) default NULL, ! chainname bigint(20) default NULL, ! UNIQUE KEY resourcegroup (resourcegroup,server,service) ) TYPE=InnoDB; --- 205,215 ---- CREATE TABLE resource_groups ( resourcegroup varchar(255) NOT NULL default '', ! parent varchar(255) NOT NULL default '', ! server varchar(235) NOT NULL default '', ! service varchar(230) NOT NULL default '', ! comment varchar(255) NOT NULL default '', ! chainname bigint(20) NOT NULL default '0', ! tablename varchar(25) NOT NULL default '', ! PRIMARY KEY (server,service,chainname,tablename) ) TYPE=InnoDB; *************** *** 226,238 **** CREATE TABLE resources_ip ( ! server varchar(120) NOT NULL default '', ! service varchar(120) NOT NULL default '', ! range varchar(31) NOT NULL default '', ! natrange varchar(31) NOT NULL default '', ! actualrange text NOT NULL, ! natactualrange text NOT NULL, ! lowbinary bigint(20) default NULL, ! highbinary bigint(20) default NULL, ! PRIMARY KEY (server,service,range) ) TYPE=InnoDB; --- 231,241 ---- CREATE TABLE resources_ip ( ! server varchar(235) NOT NULL default '', ! service varchar(230) NOT NULL default '', ! ippairs text NOT NULL, ! actualippairs text NOT NULL, ! publicport varchar(255) NOT NULL default '', ! publicttl int(11) NOT NULL default '0', ! KEY server (server,service) ) TYPE=InnoDB; *************** *** 254,264 **** CREATE TABLE servers ( ! server varchar(120) NOT NULL default '', ! fqdn varchar(255) default NULL, ! actualippairs text, ! bestmatch tinyint(1) default '1', ! containsbestmatch tinyint(1) default NULL, ! comment varchar(255) default NULL, ! PRIMARY KEY (server) ) TYPE=InnoDB; --- 257,269 ---- CREATE TABLE servers ( ! pep varchar(255) NOT NULL default '', ! fqdn varchar(235) NOT NULL default '', ! bestmatch tinyint(1) NOT NULL default '1', ! containsbestmatch tinyint(1) NOT NULL default '0', ! comment varchar(255) NOT NULL default '', ! ippairs text NOT NULL, ! publicttl int(11) NOT NULL default '0', ! actualippairs text NOT NULL, ! PRIMARY KEY (fqdn) ) TYPE=InnoDB; *************** *** 268,272 **** CREATE TABLE services ( ! name varchar(120) NOT NULL default '', protocol int(11) NOT NULL default '0', protocolname varchar(40) default NULL, --- 273,277 ---- CREATE TABLE services ( ! name varchar(230) NOT NULL default '', protocol int(11) NOT NULL default '0', protocolname varchar(40) default NULL, |