[fwbuilder-commits] r1696 - in branches/v3_1: . doc src/cisco_lib src/res/platform test/iosacl
Brought to you by:
mikehorn
From: <va...@in...> - 2009-11-08 06:22:35
|
Author: vadim Date: 2009-11-07 22:21:39 -0800 (Sat, 07 Nov 2009) New Revision: 1696 Modified: branches/v3_1/build_num branches/v3_1/doc/ChangeLog branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl.cpp branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl.h branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl_writers.cpp branches/v3_1/src/res/platform/iosacl.xml branches/v3_1/test/iosacl/objects-for-regression-tests.fwb Log: * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTCPFlags): Implemented TCP flag matching per #2865044: "Add TCP options support for IOS ACL". Uses extended ACL option "match-all" that supports list of TCP flags that should be set and cleared. This requires IOS v12.4 or later even though Cisco documentation seems to indicate this option was introduced in 12.3(4)T. Fixes #455 Modified: branches/v3_1/build_num =================================================================== --- branches/v3_1/build_num 2009-11-07 21:19:56 UTC (rev 1695) +++ branches/v3_1/build_num 2009-11-08 06:21:39 UTC (rev 1696) @@ -1 +1 @@ -#define BUILD_NUM 1693 +#define BUILD_NUM 1695 Modified: branches/v3_1/doc/ChangeLog =================================================================== --- branches/v3_1/doc/ChangeLog 2009-11-07 21:19:56 UTC (rev 1695) +++ branches/v3_1/doc/ChangeLog 2009-11-08 06:21:39 UTC (rev 1696) @@ -1,3 +1,12 @@ +2009-11-07 vadim <va...@vk...> + + * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printTCPFlags): + Implemented TCP flag matching per #2865044: "Add TCP options + support for IOS ACL". Uses extended ACL option "match-all" that + supports list of TCP flags that should be set and cleared. This + requires IOS v12.4 or later even though Cisco documentation seems + to indicate this option was introduced in 12.3(4)T. Fixes #455 + 2009-11-06 vadim <va...@vk...> * PolicyCompiler_pix_writers.cpp (PrintRule::_printDstService): PIX @@ -5,10 +14,10 @@ Fixes #567 * res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2, - 12.3 + 12.3, 12.4 * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions): - Added support for IP options matching, requires IOS v12.3 or + Added support for IP options matching, requires IOS v12.4 or later. Fixes #566, #568 * configlets/sveasoft/script_skeleton: Fixes #571 /bin/sh on Modified: branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl.cpp =================================================================== --- branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl.cpp 2009-11-07 21:19:56 UTC (rev 1695) +++ branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl.cpp 2009-11-08 06:21:39 UTC (rev 1696) @@ -129,19 +129,14 @@ s->getBool("ssrr") || s->getBool("ts") ) compiler->abort( - rule, "IOS ACL does not support checking for IP options in ACLs."); } - if (TCPService::cast(s)!=NULL) { - if (s->getBool("ack_flag") || - s->getBool("fin_flag") || - s->getBool("rst_flag") || - s->getBool("syn_flag") ) - compiler->abort( - - rule, - "IOS ACL does not support checking for TCP options in ACLs."); + if (TCPService::cast(s)!=NULL && TCPService::cast(s)->inspectFlags()) + { + string version = compiler->fw->getStr("version"); + if (XMLTools::version_compare(version, "12.4")<0) + compiler->abort(rule, "TCP flags match requires IOS v12.4 or later."); } tmp_queue.push_back(rule); Modified: branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl.h =================================================================== --- branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl.h 2009-11-07 21:19:56 UTC (rev 1695) +++ branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl.h 2009-11-08 06:21:39 UTC (rev 1696) @@ -30,6 +30,7 @@ #include "fwcompiler/PolicyCompiler.h" #include "fwbuilder/RuleElement.h" +#include "fwbuilder/TCPService.h" #include "Helper.h" #include "ACL.h" @@ -187,11 +188,13 @@ std::string current_rule_label1; std::map<std::string,std::string> current_rule_label2; int aclLineCounter; - + + std::string getTcpFlagName(const libfwbuilder::TCPService::TCPFlag f); std::string _printSrcService(libfwbuilder::Service *srv); std::string _printDstService(libfwbuilder::Service *srv); std::string _printAddr(libfwbuilder::Address *o); std::string _printProtocol(libfwbuilder::Service *srv); + std::string _printTCPFlags(libfwbuilder::TCPService *srv); std::string _printAction(libfwbuilder::PolicyRule *r); std::string _printACL(libfwbuilder::PolicyRule *r); std::string _printLog(libfwbuilder::PolicyRule *r); Modified: branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl_writers.cpp =================================================================== --- branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl_writers.cpp 2009-11-07 21:19:56 UTC (rev 1695) +++ branches/v3_1/src/cisco_lib/PolicyCompiler_iosacl_writers.cpp 2009-11-08 06:21:39 UTC (rev 1696) @@ -61,7 +61,9 @@ #include <assert.h> +#include <QStringList> + using namespace libfwbuilder; using namespace fwcompiler; using namespace std; @@ -365,8 +367,8 @@ if (srv->getBool("fragm") || srv->getBool("short_fragm")) return "fragments "; - if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.3")<0) - compiler->abort(r, "IP options match requires IOS v12.3 or later."); + if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.4")<0) + compiler->abort(r, "IP options match requires IOS v12.4 or later."); if (ip->getBool("lsrr")) return "option lsr"; if (ip->getBool("ssrr")) return "option ssr"; @@ -405,9 +407,13 @@ str << "range " << rs << " " << re << " "; } } - if (TCPService::isA(srv) && srv->getBool("established")) - str << "established "; + if (TCPService::isA(srv)) + { + if (srv->getBool("established")) str << "established "; + else str << _printTCPFlags(TCPService::cast(srv)); + } + if ((ICMPService::isA(srv) || ICMP6Service::isA(srv)) && srv->getInt("type")!=-1) str << srv->getStr("type") << " "; @@ -418,6 +424,50 @@ return str.str(); } +string PolicyCompiler_iosacl::PrintRule::getTcpFlagName(const TCPService::TCPFlag f) +{ + switch (f) + { + case TCPService::URG: return "urg"; + case TCPService::ACK: return "ack"; + case TCPService::PSH: return "psh"; + case TCPService::RST: return "rst"; + case TCPService::SYN: return "syn"; + case TCPService::FIN: return "fin"; + default: return ""; + } + return ""; +} + +string PolicyCompiler_iosacl::PrintRule::_printTCPFlags(TCPService *srv) +{ + if (srv->inspectFlags()) + { + // We check the version and call compiler->abort() if its + // wrong in SpecialServices rule processor. Here we should just execute. + string version = compiler->fw->getStr("version"); + if (XMLTools::version_compare(version, "12.4")>=0) + { + std::set<TCPService::TCPFlag> flags = srv->getAllTCPFlags(); + std::set<TCPService::TCPFlag> masks = srv->getAllTCPFlagMasks(); + std::set<TCPService::TCPFlag>::iterator mit = masks.begin(); + + QStringList match_specs; + for (; mit!=masks.end(); mit++) + { + if (flags.count(*mit) > 0) + match_specs.push_back(QString("+%1").arg(getTcpFlagName(*mit).c_str())); + else + match_specs.push_back(QString("-%1").arg(getTcpFlagName(*mit).c_str())); + } + if (!match_specs.empty()) + match_specs.push_front("match-all"); + return match_specs.join(" ").toStdString() + " "; + } + } + return ""; +} + string PolicyCompiler_iosacl::PrintRule::_printProtocol(Service *srv) { PolicyCompiler_iosacl *iosacl_comp = dynamic_cast<PolicyCompiler_iosacl*>( Modified: branches/v3_1/src/res/platform/iosacl.xml =================================================================== --- branches/v3_1/src/res/platform/iosacl.xml 2009-11-07 21:19:56 UTC (rev 1695) +++ branches/v3_1/src/res/platform/iosacl.xml 2009-11-08 06:21:39 UTC (rev 1696) @@ -10,7 +10,7 @@ <diff>fwb_iosacl_diff</diff> <supported_os>ios</supported_os> - <versions>12.1,12.2,12.3</versions> + <versions>12.1,12.2,12.3,12.4</versions> <options> <default> @@ -76,6 +76,25 @@ </iosacl_commands> </version_12.3> + <version_12.4> + <iosacl_include_comments>true</iosacl_include_comments> + <iosacl_add_clear_statements>true</iosacl_add_clear_statements> + <iosacl_assume_fw_part_of_any>true</iosacl_assume_fw_part_of_any> + <iosacl_commands> + <clear_acl>no access-list</clear_acl> + <clear_ip_acl>no ip access-list extended</clear_ip_acl> + <clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl> + <ip_addr_static> +interface %in + ip address %a %n + </ip_addr_static> + <ip_addr_dyn> +interface %in + ip address dhcp + </ip_addr_dyn> + </iosacl_commands> + </version_12.4> + </options> <capabilities> Modified: branches/v3_1/test/iosacl/objects-for-regression-tests.fwb =================================================================== --- branches/v3_1/test/iosacl/objects-for-regression-tests.fwb 2009-11-07 21:19:56 UTC (rev 1695) +++ branches/v3_1/test/iosacl/objects-for-regression-tests.fwb 2009-11-08 06:21:39 UTC (rev 1696) @@ -21,12 +21,11 @@ <ServiceRef ref="id5470X38343"/> <ObjectRef ref="id19068X65694"/> <ObjectRef ref="id19240X65694"/> + <ObjectRef ref="id4641321126611"/> + <ServiceRef ref="id5611X44763"/> <ServiceRef ref="sysid1"/> <ServiceRef ref="sysid1"/> - <ObjectRef ref="sysid0"/> - <ObjectRef ref="sysid0"/> - <ObjectRef ref="sysid0"/> - <ObjectRef ref="id4641321126611"/> + <ServiceRef ref="sysid1"/> </Library> <Library id="id4511636323682" color="#d2ffd0" name="User" comment="" ro="False"> <ObjectGroup id="id4511636423682_clusters" name="Clusters" comment="" ro="False"/> @@ -149,6 +148,9 @@ <ServiceGroup id="id4511637023682" name="TCP" comment="" ro="False"> <TCPService id="id4641521729061" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http established" comment="" ro="False" src_range_start="80" src_range_end="80" dst_range_start="0" dst_range_end="0"/> <TCPService id="id5470X38343" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="establ" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/> + <TCPService id="id83887X7744" ack_flag="True" ack_flag_mask="True" established="False" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="ack" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/> + <TCPService id="id83888X7744" ack_flag="False" ack_flag_mask="True" established="False" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="syn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/> + <TCPService id="id83889X7744" ack_flag="True" ack_flag_mask="True" established="False" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="syn ack" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/> </ServiceGroup> <ServiceGroup id="id4511637123682" name="UDP" comment="" ro="False"/> <ServiceGroup id="id4511637223682" name="Custom" comment="" ro="False"> @@ -747,7 +749,7 @@ <Option name="verify_interfaces">true</Option> </FirewallOptions> </Firewall> - <Firewall id="id464131E426611" host_OS="ios" inactive="False" lastCompiled="1251228630" lastInstalled="0" lastModified="1257560694" platform="iosacl" version="12.x" name="testios20" comment="" ro="False"> + <Firewall id="id464131E426611" host_OS="ios" inactive="False" lastCompiled="1251228630" lastInstalled="0" lastModified="1257660998" platform="iosacl" version="12.4" name="testios20" comment="" ro="False"> <NAT id="id4641320F26611" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/> <Policy id="id464131EA26611" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <PolicyRule id="id464131EB26611" disabled="False" log="False" position="0" action="Accept" direction="Both" comment=""> @@ -1000,7 +1002,7 @@ <Option name="stateless">False</Option> </PolicyRuleOptions> </PolicyRule> - <PolicyRule id="id7439X44763" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment=""> + <PolicyRule id="id85935X7744" disabled="False" group="" log="False" position="12" action="Accept" direction="Inbound" comment=""> <Src neg="False"> <ObjectRef ref="sysid0"/> </Src> @@ -1008,6 +1010,70 @@ <ObjectRef ref="sysid0"/> </Dst> <Srv neg="False"> + <ServiceRef ref="id83887X7744"/> + </Srv> + <Itf neg="False"> + <ObjectRef ref="id4641321126611"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="color">#8BC065</Option> + <Option name="stateless">False</Option> + </PolicyRuleOptions> + </PolicyRule> + <PolicyRule id="id85953X7744" disabled="False" group="" log="False" position="13" action="Accept" direction="Inbound" comment=""> + <Src neg="False"> + <ObjectRef ref="sysid0"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="id83887X7744"/> + <ServiceRef ref="id83888X7744"/> + </Srv> + <Itf neg="False"> + <ObjectRef ref="id4641321126611"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="color">#8BC065</Option> + <Option name="stateless">False</Option> + </PolicyRuleOptions> + </PolicyRule> + <PolicyRule id="id85970X7744" disabled="False" group="" log="False" position="14" action="Accept" direction="Inbound" comment=""> + <Src neg="False"> + <ObjectRef ref="sysid0"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="id83889X7744"/> + </Srv> + <Itf neg="False"> + <ObjectRef ref="id4641321126611"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="color">#8BC065</Option> + <Option name="stateless">False</Option> + </PolicyRuleOptions> + </PolicyRule> + <PolicyRule id="id7439X44763" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment=""> + <Src neg="False"> + <ObjectRef ref="sysid0"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> <ServiceRef ref="sysid1"/> </Srv> <Itf neg="False"> @@ -1020,7 +1086,7 @@ <Option name="stateless">False</Option> </PolicyRuleOptions> </PolicyRule> - <PolicyRule id="id4641320326611" disabled="False" log="True" position="13" action="Deny" direction="Both" comment=""> + <PolicyRule id="id4641320326611" disabled="False" log="True" position="16" action="Deny" direction="Both" comment=""> <Src neg="False"> <ObjectRef ref="sysid0"/> </Src> |