[fwbuilder-commits] [SCM] Firewall Builder GUI and Policy Compilers Open Source Code branch, develo
Brought to you by:
mikehorn
From: <gi...@ir...> - 2011-03-24 19:36:58
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "Firewall Builder GUI and Policy Compilers Open Source Code". The branch, development has been updated via c533b74e8e786ba0a1f527d57c7f70dc86383ae4 (commit) via 72370646a624a0a300a76f532614f91545d9165d (commit) from 909470a0bf8e6f93f1988bcd05eb458aaf16214d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit c533b74e8e786ba0a1f527d57c7f70dc86383ae4 Author: Vadim Kurland <va...@sl...> Date: Thu Mar 24 12:48:04 2011 -0700 * getServByName.cpp (getPortByName): see #2268 updated list of named tcp and udp ports recognized by the importer for Cisco ASA. It is still unclear what port does the name "cifs" correspond to. diff --git a/doc/ChangeLog b/doc/ChangeLog index bc9c2f7..cf509ff 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,9 @@ +2011-03-24 vadim <va...@ne...> + + * getServByName.cpp (getPortByName): see #2268 updated list of + named tcp and udp ports recognized by the importer for Cisco ASA. + It is still unclear what port does the name "cifs" correspond to. + 2011-03-23 vadim <va...@ne...> * addressObjectMaker.cpp (createObject): see #1548 Improved diff --git a/src/import/PIXImporter.cpp b/src/import/PIXImporter.cpp index f91cf99..cfa0b36 100644 --- a/src/import/PIXImporter.cpp +++ b/src/import/PIXImporter.cpp @@ -619,7 +619,7 @@ void PIXImporter::addIPServiceToObjectGroup() sig.setProtocol(protocol.c_str()); sig.fragments = fragments; FWObject *s = service_maker->createObject(sig); - current_object_group->addRef(s); + current_object_group->addRef(commitObject(s)); } void PIXImporter::addTCPUDPServiceToObjectGroup() @@ -631,7 +631,7 @@ void PIXImporter::addTCPUDPServiceToObjectGroup() if (protocol == "tcp") new_obj = createTCPService(); if (protocol == "udp") new_obj = createUDPService(); if (new_obj) - current_object_group->addRef(new_obj); + current_object_group->addRef(commitObject(new_obj)); } void PIXImporter::addICMPServiceToObjectGroup() @@ -649,6 +649,6 @@ void PIXImporter::addICMPServiceToObjectGroup() } FWObject *s = service_maker->createObject(sig); - current_object_group->addRef(s); + current_object_group->addRef(commitObject(s)); } diff --git a/src/import/getServByName.cpp b/src/import/getServByName.cpp index 5c8fab3..979ac20 100644 --- a/src/import/getServByName.cpp +++ b/src/import/getServByName.cpp @@ -550,66 +550,119 @@ int GetServByName::getPortByName(const QString &name, const QString &proto) // these are found in Cisco configs. Some of these names duplicate // protocols listed above but a few are extras. - ports["tcp"]["bgp"] = 179; - ports["tcp"]["chargen"] = 19; - ports["tcp"]["cmd"] = 514; - ports["tcp"]["daytime"] = 13; - ports["tcp"]["discard"] = 9; - ports["tcp"]["domain"] = 53; - ports["tcp"]["echo"] = 7; - ports["tcp"]["exec"] = 512; - ports["tcp"]["finger"] = 79; - ports["tcp"]["ftp"] = 21; - ports["tcp"]["ftp-data"] = 20; - ports["tcp"]["gopher"] = 70; - ports["tcp"]["hostname"] = 101; - ports["tcp"]["ident"] = 113; - ports["tcp"]["irc"] = 194; - ports["tcp"]["klogin"] = 543; - ports["tcp"]["kshell"] = 544; - ports["tcp"]["login"] = 513; - ports["tcp"]["lpd"] = 515; - ports["tcp"]["nntp"] = 119; - ports["tcp"]["pop2"] = 109; - ports["tcp"]["pop3"] = 110; - ports["tcp"]["smtp"] = 25; - ports["tcp"]["sunrpc"] = 111; +// http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ports.html +// +// this is a mix of port names from PIX/ASA and IOS + + ports["tcp"]["aol"] = 5190; // America Online + ports["tcp"]["bgp"] = 179; // Border Gateway Protocol, RFC 1163 + ports["tcp"]["chargen"] = 19; // Character Generator + ports["tcp"]["cifs"] = 445; + ports["tcp"]["citrix-ica"] = 1494; // Citrix Independent Computing + // Architecture (ICA) protocol + ports["tcp"]["cmd"] = 514; // Similar to exec except that cmd + // has automatic authentication + ports["tcp"]["ctiqbe"] = 2748; // Computer Telephony Interface + // Quick Buffer Encoding + ports["tcp"]["daytime"] = 13; // Day time, RFC 867 + ports["tcp"]["discard"] = 9; // Discard + ports["tcp"]["domain"] = 53; // DNS + ports["tcp"]["echo"] = 7; // Echo + ports["tcp"]["exec"] = 512; // Remote process execution + ports["tcp"]["finger"] = 79; // Finger + ports["tcp"]["ftp"] = 21; // File Transfer Protocol (control port) + ports["tcp"]["ftp-data"] = 20; // File Transfer Protocol (data port) + ports["tcp"]["gopher"] = 70; // Gopher + ports["tcp"]["h323"] = 1720; // H.323 call signalling + ports["tcp"]["hostname"] = 101; // NIC Host Name Server + ports["tcp"]["https"] = 443; // HTTP over SSL + ports["tcp"]["ident"] = 113; // Ident authentication service + ports["tcp"]["imap4"] = 143; // Internet Message Access Protocol, + // version 4 + ports["tcp"]["irc"] = 194; // Internet Relay Chat protocol + ports["tcp"]["kerberos"] = 750; // Kerberos + ports["tcp"]["klogin"] = 543; // KLOGIN + ports["tcp"]["kshell"] = 544; // Korn Shell + ports["tcp"]["ldap"] = 389; // Lightweight Directory Access + // Protocol + ports["tcp"]["ldaps"] = 636; // Lightweight Directory Access + // Protocol (SSL) + ports["tcp"]["login"] = 513; // Remote login + ports["tcp"]["lotusnotes"] = 1352; // IBM Lotus Notes + ports["tcp"]["lpd"] = 515; // Line Printer Daemon - printer spooler + ports["tcp"]["netbios-ssn"] = 139; // NetBIOS Session Service + ports["tcp"]["nfs"] = 2049; + ports["tcp"]["nntp"] = 119; // Network News Transfer Protocol + ports["tcp"]["pcanywhere-data"] = 5631; // pcAnywhere data + ports["tcp"]["pim-auto-rp"] = 496; // Protocol Independent Multicast, + // reverse path flooding, dense mode + ports["tcp"]["pop2"] = 109; // Post Office Protocol - Version 2 + ports["tcp"]["pop3"] = 110; // Post Office Protocol - Version 3 + ports["tcp"]["pptp"] = 1723; // Point-to-Point Tunneling Protocol + ports["tcp"]["rsh"] = 514; + ports["tcp"]["rtsp"] = 554; + ports["tcp"]["smtp"] = 25; // Simple Mail Transport Protocol + ports["tcp"]["sqlnet"] = 1521; // Structured Query Language Network + ports["tcp"]["ssh"] = 22; // Secure Shell + ports["tcp"]["sip"] = 5060; + ports["tcp"]["sunrpc"] = 111; // 111 Sun Remote Procedure Call ports["tcp"]["syslog"] = 514; - ports["tcp"]["tacacs"] = 49; - ports["tcp"]["tacacs-ds"] = 63; - ports["tcp"]["talk"] = 517; - ports["tcp"]["telnet"] = 23; - ports["tcp"]["time"] = 37; - ports["tcp"]["uucp"] = 540; - ports["tcp"]["whois"] = 43; - ports["tcp"]["www"] = 80; + ports["tcp"]["tacacs"] = 49; // Terminal Access Controller + // Access Control System Plus + ports["tcp"]["tacacs-ds"] = 63; // ??? + ports["tcp"]["talk"] = 517; // Talk + ports["tcp"]["telnet"] = 23; // RFC 854 Telnet + ports["tcp"]["time"] = 37; // ??? + ports["tcp"]["uucp"] = 540; // UNIX-to-UNIX Copy Program + ports["tcp"]["whois"] = 43; // Who Is + ports["tcp"]["http"] = 80; + ports["tcp"]["www"] = 80; // World Wide Web - ports["udp"]["biff"] = 512; - ports["udp"]["bootpc"] = 68; - ports["udp"]["bootps"] = 67; - ports["udp"]["discard"] = 9; - ports["udp"]["dnsix"] = 195; - ports["udp"]["domain"] = 53; + + + ports["udp"]["biff"] = 512; // Used by mail system to notify + // users that new mail is received + ports["udp"]["bootpc"] = 68; // Bootstrap Protocol Client + ports["udp"]["bootps"] = 67; // Bootstrap Protocol Server + ports["udp"]["discard"] = 9; // Discard + ports["udp"]["dnsix"] = 195; // DNSIX Session Management + // Module Audit Redirector + ports["udp"]["domain"] = 53; // DNS ports["udp"]["echo"] = 7; - ports["udp"]["isakmp"] = 500; - ports["udp"]["mobile-ip"] = 434; - ports["udp"]["nameserver"] = 42; - ports["udp"]["netbios-dgm"] = 138; - ports["udp"]["netbios-ns"] = 137; + ports["udp"]["isakmp"] = 500; // Internet Security Association + // and Key Management Protocol + ports["udp"]["kerberos"] = 750; // Kerberos + ports["udp"]["mobile-ip"] = 434; // MobileIP-Agent + ports["udp"]["nameserver"] = 42; // Host Name Server + ports["udp"]["netbios-dgm"] = 138; // NetBIOS Datagram Service + ports["udp"]["netbios-ns"] = 137; // NetBIOS Name Service ports["udp"]["netbios-ss"] = 139; - ports["udp"]["ntp"] = 123; - ports["udp"]["pim-auto-rp"] = 496; - ports["udp"]["rip"] = 520; - ports["udp"]["snmp"] = 161; - ports["udp"]["snmptrap"] = 162; - ports["udp"]["sunrpc"] = 111; - ports["udp"]["syslog"] = 514; - ports["udp"]["tacacs"] = 49; - ports["udp"]["talk"] = 517; - ports["udp"]["tftp"] = 69; - ports["udp"]["time"] = 37; - ports["udp"]["who"] = 513; - ports["udp"]["xdmcp"] = 177; + ports["udp"]["nfs"] = 2049; + ports["udp"]["ntp"] = 123; // Network Time Protocol + ports["udp"]["pcanywhere-status"] = 5632; // pcAnywhere status + ports["udp"]["pim-auto-rp"] = 496; // Protocol Independent Multicast, + // reverse path flooding, dense mode + ports["udp"]["radius"] = 1645; // Remote Authentication Dial-In + // User Service + ports["udp"]["radius-acct"] = 1646; // Remote Authentication Dial-In + // User Service (accounting) + ports["udp"]["rip"] = 520; // Routing Information Protocol + ports["udp"]["rtsp"] = 554; + ports["udp"]["secureid-udp"] = 5510; // SecureID over + ports["udp"]["sip"] = 5060; + ports["udp"]["snmp"] = 161; // Simple Network Management Protocol + ports["udp"]["snmptrap"] = 162; // Simple Network Management Protocol + // - Trap + ports["udp"]["sunrpc"] = 111; // 111 Sun Remote Procedure Call + ports["udp"]["syslog"] = 514; // System Log + ports["udp"]["tacacs"] = 49; // Terminal Access Controller + // Access Control System Plus + ports["udp"]["talk"] = 517; // Talk + ports["udp"]["tftp"] = 69; // Trivial File Transfer Protocol + ports["udp"]["time"] = 37; // Time + ports["udp"]["who"] = 513; // Who + ports["udp"]["xdmcp"] = 177; // X Display Manager Control Protocol + } commit 72370646a624a0a300a76f532614f91545d9165d Author: Vadim Kurland <va...@sl...> Date: Wed Mar 23 23:54:55 2011 -0700 checking in updated unit tests after changes in handling port ranges for IOS and changes for better deduplication of networks and address ranges in importer diff --git a/doc/ChangeLog b/doc/ChangeLog index 6c0c4d2..bc9c2f7 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,4 +1,7 @@ -2011-03-23 Vadim Kurland <va...@ne...> +2011-03-23 vadim <va...@ne...> + + * addressObjectMaker.cpp (createObject): see #1548 Improved + algorithm used to deduplicate Network objects on import. * FWWindow.cpp (prepareToolsMenu): fixed SF bug 3238026: build failure on systems without net-snmp development libraries. diff --git a/src/import/IPTImporter.cpp b/src/import/IPTImporter.cpp index 7766f8d..6b7fe72 100644 --- a/src/import/IPTImporter.cpp +++ b/src/import/IPTImporter.cpp @@ -288,12 +288,12 @@ FWObject* IPTImporter::createTCPUDPService(const std::string &proto) } } -FWObject* IPTImporter::createTCPService(const QString &name) +FWObject* IPTImporter::createTCPService(const QString &) { return createTCPUDPService("tcp"); } -FWObject* IPTImporter::createUDPService(const QString &name) +FWObject* IPTImporter::createUDPService(const QString &) { return createTCPUDPService("udp"); } @@ -305,8 +305,8 @@ FWObject* IPTImporter::makeSrcObj() { ObjectSignature sig; sig.type_name = AddressRange::TYPENAME; - sig.address_range_start = iprange_src_from.c_str(); - sig.address_range_end = iprange_src_to.c_str(); + sig.setAddressRangeStart(iprange_src_from.c_str()); + sig.setAddressRangeEnd(iprange_src_to.c_str()); return commitObject(address_maker->createObject(sig)); } else @@ -319,8 +319,8 @@ FWObject* IPTImporter::makeDstObj() { ObjectSignature sig; sig.type_name = AddressRange::TYPENAME; - sig.address_range_start = iprange_dst_from.c_str(); - sig.address_range_end = iprange_dst_to.c_str(); + sig.setAddressRangeStart(iprange_dst_from.c_str()); + sig.setAddressRangeEnd(iprange_dst_to.c_str()); return commitObject(address_maker->createObject(sig)); } else @@ -1207,15 +1207,15 @@ void IPTImporter::pushNATRule() { ObjectSignature sig; sig.type_name = AddressRange::TYPENAME; - sig.address_range_start = nat_addr1.c_str(); - sig.address_range_end = nat_addr2.c_str(); + sig.setAddressRangeStart(nat_addr1.c_str()); + sig.setAddressRangeEnd(nat_addr2.c_str()); tsrc = commitObject(address_maker->createObject(sig)); } else { ObjectSignature sig; sig.type_name = Address::TYPENAME; - sig.address = nat_addr1.c_str(); - sig.netmask = nat_nm.c_str(); + sig.setAddress(nat_addr1.c_str()); + sig.setNetmask(nat_nm.c_str()); tsrc = commitObject(address_maker->createObject(sig)); } @@ -1261,15 +1261,15 @@ void IPTImporter::pushNATRule() { ObjectSignature sig; sig.type_name = AddressRange::TYPENAME; - sig.address_range_start = nat_addr1.c_str(); - sig.address_range_end = nat_addr2.c_str(); + sig.setAddressRangeStart(nat_addr1.c_str()); + sig.setAddressRangeEnd(nat_addr2.c_str()); tdst = commitObject(address_maker->createObject(sig)); } else { ObjectSignature sig; sig.type_name = Address::TYPENAME; - sig.address = nat_addr1.c_str(); - sig.netmask = nat_nm.c_str(); + sig.setAddress(nat_addr1.c_str()); + sig.setNetmask(nat_nm.c_str()); tdst = commitObject(address_maker->createObject(sig)); } @@ -1338,8 +1338,8 @@ void IPTImporter::pushNATRule() ObjectSignature sig; sig.type_name = Address::TYPENAME; - sig.address = nat_addr1.c_str(); - sig.netmask = nat_nm.c_str(); + sig.setAddress(nat_addr1.c_str()); + sig.setNetmask(nat_nm.c_str()); o = commitObject(address_maker->createObject(sig)); tsrc->addRef(o); } @@ -1353,8 +1353,8 @@ void IPTImporter::pushNATRule() ObjectSignature sig; sig.type_name = Address::TYPENAME; - sig.address = nat_addr1.c_str(); - sig.netmask = nat_nm.c_str(); + sig.setAddress(nat_addr1.c_str()); + sig.setNetmask(nat_nm.c_str()); o = commitObject(address_maker->createObject(sig)); tdst->addRef(o); } diff --git a/src/import/Importer.cpp b/src/import/Importer.cpp index 4f5820a..b03b4cd 100644 --- a/src/import/Importer.cpp +++ b/src/import/Importer.cpp @@ -544,8 +544,8 @@ FWObject* Importer::makeSrcObj() ObjectSignature sig; sig.type_name = Address::TYPENAME; - sig.address = src_a.c_str(); - sig.netmask = src_nm.c_str(); + sig.setAddress(src_a.c_str()); + sig.setNetmask(src_nm.c_str(), address_maker->getInvertedNetmasks()); return commitObject(address_maker->createObject(sig)); } @@ -560,8 +560,8 @@ FWObject* Importer::makeDstObj() ObjectSignature sig; sig.type_name = Address::TYPENAME; - sig.address = dst_a.c_str(); - sig.netmask = dst_nm.c_str(); + sig.setAddress(dst_a.c_str()); + sig.setNetmask(dst_nm.c_str(), address_maker->getInvertedNetmasks()); return commitObject(address_maker->createObject(sig)); } diff --git a/src/import/PIXImporter.cpp b/src/import/PIXImporter.cpp index 0cccc9e..f91cf99 100644 --- a/src/import/PIXImporter.cpp +++ b/src/import/PIXImporter.cpp @@ -425,8 +425,8 @@ void PIXImporter::commitNamedAddressRangeObject() ObjectSignature sig; sig.object_name = named_object_name; sig.type_name = AddressRange::TYPENAME; - sig.address_range_start = tmp_range_1.c_str(); - sig.address_range_end = tmp_range_2.c_str(); + sig.setAddressRangeStart(tmp_range_1.c_str()); + sig.setAddressRangeEnd(tmp_range_2.c_str()); current_named_object = commitObject(address_maker->createObject(sig)); named_objects_registry[named_object_name] = current_named_object; } @@ -594,8 +594,8 @@ void PIXImporter::addNetworkToObjectGroup() { ObjectSignature sig; sig.type_name = Address::TYPENAME; - sig.address = tmp_a.c_str(); - sig.netmask = tmp_nm.c_str(); + sig.setAddress(tmp_a.c_str()); + sig.setNetmask(tmp_nm.c_str()); current_object_group->addRef( commitObject(address_maker->createObject(sig))); } diff --git a/src/import/addressObjectMaker.cpp b/src/import/addressObjectMaker.cpp index 37ddff9..675173f 100644 --- a/src/import/addressObjectMaker.cpp +++ b/src/import/addressObjectMaker.cpp @@ -49,82 +49,50 @@ AddressObjectMaker::~AddressObjectMaker() {} FWObject* AddressObjectMaker::createObject(ObjectSignature &sig) { -// FWObject *obj = findMatchingObject(sig); -// if (obj) return obj; - FWObject *obj = NULL; if (sig.type_name == AddressRange::TYPENAME) - obj = createAddressRange(sig.address_range_start, sig.address_range_end); + obj = createAddressRange(sig); else - obj = createAddress(sig.address, sig.netmask); + obj = createAddress(sig); + + // Now I should build new signature because actual object type has + // only been determined in createAddress() if ( ! sig.object_name.isEmpty()) { obj->setName(sig.object_name.toUtf8().constData()); - registerNamedObject(sig, obj); + ObjectSignature new_sig; + obj->dispatch(&new_sig, (void*)(NULL)); + registerNamedObject(new_sig, obj); } else - registerAnonymousObject(sig, obj); + { + ObjectSignature new_sig; + obj->dispatch(&new_sig, (void*)(NULL)); + registerAnonymousObject(new_sig, obj); + } return obj; } - -FWObject* AddressObjectMaker::createAddress(const QString &addr, - const QString &netmask) +FWObject* AddressObjectMaker::createAddress(ObjectSignature &sig) { - QString correct_nm = netmask; - if (inverted_netmasks) - { - InetAddr orig_nm(netmask.toStdString()); - correct_nm = (~orig_nm).toString().c_str(); - } - - try - { - InetAddr(correct_nm.toStdString()); - } catch (FWException &ex) - { - if (correct_nm.contains('.')) - { - // netmask has '.' in it but conversion failed. - throw ObjectMakerException( - QString("Error converting netmask '%1'").arg(correct_nm)); - } else - { - // no dot in netmask, perhaps it is specified by its length? - // if netmask is specified by length, need to use special - // constructor for class Netmask to convert - bool ok = false; - int nm_len = correct_nm.toInt(&ok); - if (ok) - { - correct_nm = InetAddr(nm_len).toString().c_str(); - } else - { - // could not convert netmask as simple integer - throw ObjectMakerException( - QString("Error converting netmask '%1'").arg(correct_nm)); - } - } - } + ObjectSignature signature = sig; - ObjectSignature sig; - sig.address = addr; - sig.netmask = correct_nm; + InetAddr netmask(signature.netmask.toStdString()); - if ( correct_nm == InetAddr::getAllOnes().toString().c_str() ) + if ( netmask == InetAddr::getAllOnes() ) { QString name; try { - sig.type_name = IPv4::TYPENAME; + signature.type_name = IPv4::TYPENAME; - FWObject *obj = findMatchingObject(sig); + FWObject *obj = findMatchingObject(signature); if (obj) return obj; - InetAddr obj_addr(addr.toStdString()); // testing if string converts to an address - name = QString("h-") + addr; + InetAddr obj_addr(sig.address.toStdString()); // testing if string converts to an address + name = QString("h-") + sig.address; Address *a = Address::cast( ObjectMaker::createObject(IPv4::TYPENAME, name.toStdString())); a->setAddress(obj_addr); @@ -137,52 +105,55 @@ FWObject* AddressObjectMaker::createAddress(const QString &addr, // Since parsers do not understand ipv6 yet, assume this // is a host address and create DNSName object - sig.type_name = DNSName::TYPENAME; - FWObject *obj = findMatchingObject(sig); + signature.type_name = DNSName::TYPENAME; + FWObject *obj = findMatchingObject(signature); if (obj) return obj; - name = addr; + name = sig.address; DNSName *da = DNSName::cast( ObjectMaker::createObject(DNSName::TYPENAME, name.toStdString())); - da->setSourceName(addr.toStdString()); + da->setSourceName(sig.address.toStdString()); da->setRunTime(true); return da; } } else { - sig.type_name = Network::TYPENAME; + signature.type_name = Network::TYPENAME; - qDebug() << "Search for " << sig.toString(); - - FWObject *obj = findMatchingObject(sig); + FWObject *obj = findMatchingObject(signature); if (obj) return obj; - QString name = QString("net-") + addr + "/" + correct_nm; + QString name = QString("net-%1/%2") + .arg(signature.address).arg(signature.netmask); Network *net = Network::cast( ObjectMaker::createObject(Network::TYPENAME, name.toStdString())); try { - net->setAddress( InetAddr(addr.toStdString()) ); + net->setAddress( InetAddr(sig.address.toStdString()) ); } catch (FWException &ex) { throw ObjectMakerException( - QString("Error converting address '%1'").arg(addr)); + QString("Error converting address '%1'").arg(sig.address)); } // we have already verified netmask above - net->setNetmask( InetAddr(correct_nm.toStdString()) ); + net->setNetmask(netmask); return net; } return NULL; } -FWObject* AddressObjectMaker::createAddressRange(const QString &addr1, - const QString &addr2) +FWObject* AddressObjectMaker::createAddressRange(ObjectSignature &sig) { + FWObject *obj = findMatchingObject(sig); + if (obj) return obj; + + QString addr1 = sig.address_range_start; + QString addr2 = sig.address_range_end; + QString name = QString("range-%1-%2").arg(addr1).arg(addr2); - QString name = QString("range-") + addr1 + "-" + addr2; AddressRange *ar = AddressRange::cast( ObjectMaker::createObject(AddressRange::TYPENAME, name.toStdString())); diff --git a/src/import/addressObjectMaker.h b/src/import/addressObjectMaker.h index f968ae9..f61505c 100644 --- a/src/import/addressObjectMaker.h +++ b/src/import/addressObjectMaker.h @@ -43,14 +43,13 @@ public: virtual ~AddressObjectMaker(); void setInvertedNetmasks(bool f) { inverted_netmasks = f; } + bool getInvertedNetmasks() { return inverted_netmasks; } virtual libfwbuilder::FWObject* createObject(ObjectSignature &sig); protected: - virtual libfwbuilder::FWObject* createAddress(const QString &a, - const QString &nm); - virtual libfwbuilder::FWObject* createAddressRange(const QString &a1, - const QString &a2); + virtual libfwbuilder::FWObject* createAddress(ObjectSignature &sig); + virtual libfwbuilder::FWObject* createAddressRange(ObjectSignature &sig); }; diff --git a/src/import/objectMaker.cpp b/src/import/objectMaker.cpp index e207fe2..410a2dd 100644 --- a/src/import/objectMaker.cpp +++ b/src/import/objectMaker.cpp @@ -242,6 +242,59 @@ ObjectSignature::ObjectSignature(const ObjectSignature &other) } } +void ObjectSignature::setAddress(const QString &s) +{ + address = s; +} + +void ObjectSignature::setAddressRangeStart(const QString &s) +{ + address_range_start = s; +} + +void ObjectSignature::setAddressRangeEnd(const QString &s) +{ + address_range_end = s; +} + +void ObjectSignature::setNetmask(const QString &netm, bool inverted_netmask) +{ + InetAddr inetaddr_nm; + + try + { + inetaddr_nm = InetAddr(netm.toStdString()); + if (inverted_netmask) inetaddr_nm = ~inetaddr_nm; + + } catch (FWException &ex) + { + if (netm.contains('.')) + { + // netmask has '.' in it but conversion failed. + throw ObjectMakerException( + QString("Error converting netmask '%1'").arg(netm)); + } else + { + // no dot in netmask, perhaps it is specified by its length? + // If netmask is specified by length, need to use special + // constructor for class Netmask to convert + bool ok = false; + int nm_len = netm.toInt(&ok); + if (ok) + { + inetaddr_nm = InetAddr(nm_len); + } else + { + // could not convert netmask as simple integer + throw ObjectMakerException( + QString("Error converting netmask '%1'").arg(netm)); + } + } + } + + netmask = inetaddr_nm.toString().c_str(); +} + void ObjectSignature::setProtocol(const QString &s) { // this assumes protocol is represented by a number @@ -838,8 +891,6 @@ void ObjectMaker::prepareForDeduplication(FWObject *root) root->dispatch(&sig, (void*)(NULL)); - qDebug() << "Registering " << sig.toString(); - registerNamedObject(sig, root); registerAnonymousObject(sig, root); // this erases sig.object_name } diff --git a/src/import/objectMaker.h b/src/import/objectMaker.h index df68070..7c8b881 100644 --- a/src/import/objectMaker.h +++ b/src/import/objectMaker.h @@ -130,6 +130,10 @@ public: // convenience methods that populate various attributes from // strings taken from imported configs + void setAddress(const QString &s); + void setNetmask(const QString &s, bool inverted_netmask=false); + void setAddressRangeStart(const QString &s); + void setAddressRangeEnd(const QString &s); void setProtocol(const QString &s); void setIcmpFromName(const QString &s); void setIcmpType(const QString &s); diff --git a/src/unit_tests/ImporterTest/test_data/ios.fwb b/src/unit_tests/ImporterTest/test_data/ios.fwb index 5faddba..1c1065f 100644 --- a/src/unit_tests/ImporterTest/test_data/ios.fwb +++ b/src/unit_tests/ImporterTest/test_data/ios.fwb @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd"> -<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1300581831" id="root"> +<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1300948713" id="root"> <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True"> <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/> <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/> @@ -476,8 +476,8 @@ <TCPService id="id37" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 22:22" comment="Created during import of line 176" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/> <TCPService id="id38" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 80:80 / 0:0" comment="Created during import of line 201" ro="False" src_range_start="80" src_range_end="80" dst_range_start="0" dst_range_end="0"/> <TCPService id="id39" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 80:80 / 0:0 est" comment="Created during import of line 203" ro="False" src_range_start="80" src_range_end="80" dst_range_start="0" dst_range_end="0"/> - <TCPService id="id40" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 1023:65535 / 0:0" comment="Created during import of line 205" ro="False" src_range_start="1023" src_range_end="65535" dst_range_start="0" dst_range_end="0"/> - <TCPService id="id41" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:1023 / 0:0" comment="Created during import of line 206" ro="False" src_range_start="0" src_range_end="1023" dst_range_start="0" dst_range_end="0"/> + <TCPService id="id40" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 1024:65535 / 0:0" comment="Created during import of line 205" ro="False" src_range_start="1024" src_range_end="65535" dst_range_start="0" dst_range_end="0"/> + <TCPService id="id41" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:1022 / 0:0" comment="Created during import of line 206" ro="False" src_range_start="0" src_range_end="1022" dst_range_start="0" dst_range_end="0"/> <TCPService id="id42" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 80:80" comment="Created during import of line 208" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/> <TCPService id="id43" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 22:80" comment="Created during import of line 210" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="80"/> <TCPService id="id44" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 2967:2967" comment="Created during import of line 214" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2967" dst_range_end="2967"/> diff --git a/src/unit_tests/ImporterTest/test_data/ios.result b/src/unit_tests/ImporterTest/test_data/ios.result index bcfacce..44beed2 100644 --- a/src/unit_tests/ImporterTest/test_data/ios.result +++ b/src/unit_tests/ImporterTest/test_data/ios.result @@ -2,22 +2,22 @@ Host name: "c3620" New interface: FastEthernet0/0 Interface address: 192.168.100.100/255.255.255.0 Interface address: 10.3.14.201/255.255.255.0 -Interface ruleset fe0_0_acl_in direction 'in' (set to 'in') -Interface ruleset fe0_0_acl_out direction 'out' (set to 'out') +Interface FastEthernet0/0 ruleset fe0_0_acl_in direction 'in' +Interface FastEthernet0/0 ruleset fe0_0_acl_out direction 'out' New interface: Ethernet1/0 Interface comment: Test [ test ] { test } ( and one more test) / weird:characters#$%^&*/ Interface address: 192.168.171.2/255.255.255.0 -Interface ruleset e1_0_acl_in direction 'in' (set to 'in') -Interface ruleset e1_0_acl_out direction 'out' (set to 'out') +Interface Ethernet1/0 ruleset e1_0_acl_in direction 'in' +Interface Ethernet1/0 ruleset e1_0_acl_out direction 'out' New interface: Serial1/0 New interface: Ethernet1/1 Interface address: 10.10.10.10/255.255.255.0 -Interface ruleset acl_133 direction 'in' (set to 'in') -Interface ruleset acl_133 direction 'out' (set to 'both') +Interface Ethernet1/1 ruleset acl_133 direction 'in' +Interface Ethernet1/1 ruleset acl_133 direction 'out' New interface: Ethernet1/2 Interface address: 10.10.20.20/255.255.255.0 -Interface ruleset acl_133 direction 'in' (set to 'in') -Interface ruleset acl_133 direction 'out' (set to 'both') +Interface Ethernet1/2 ruleset acl_133 direction 'in' +Interface Ethernet1/2 ruleset acl_133 direction 'out' Ruleset: e1_0_acl_in Ruleset: e1_0_acl_out Ruleset: fe0_0_acl_in diff --git a/src/unit_tests/ImporterTest/test_data/ipt.fwb b/src/unit_tests/ImporterTest/test_data/ipt.fwb index 931f5ef..0ebe76e 100644 --- a/src/unit_tests/ImporterTest/test_data/ipt.fwb +++ b/src/unit_tests/ImporterTest/test_data/ipt.fwb @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd"> -<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1300583953" id="root"> +<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1300949604" id="root"> <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True"> <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/> <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/> @@ -453,14 +453,14 @@ <ObjectGroup id="id20" name="Groups" comment="" ro="False"/> <ObjectGroup id="id21" name="Hosts" comment="" ro="False"/> <ObjectGroup id="id22" name="Networks" comment="" ro="False"> - <Network id="id23" name="net-192.168.2.0/24" comment="Created during import of line 18" ro="False" address="192.168.2.0" netmask="255.255.255.0"/> - <Network id="id24" name="net-192.168.0.0/16" comment="Created during import of line 85" ro="False" address="192.168.0.0" netmask="255.255.0.0"/> - <Network id="id25" name="net-128.143.0.0/16" comment="Created during import of line 92" ro="False" address="128.143.0.0" netmask="255.255.0.0"/> - <Network id="id26" name="net-1.1.0.0/16" comment="Created during import of line 98" ro="False" address="1.1.0.0" netmask="255.255.0.0"/> - <Network id="id27" name="net-192.168.19.0/24" comment="Created during import of line 105" ro="False" address="192.168.19.0" netmask="255.255.255.0"/> - <Network id="id28" name="net-192.168.1.0/24" comment="Created during import of line 257" ro="False" address="192.168.1.0" netmask="255.255.255.0"/> - <Network id="id29" name="net-192.168.1.32/27" comment="Created during import of line 259" ro="False" address="192.168.1.32" netmask="255.255.255.224"/> - <Network id="id30" name="net-222.222.222.0/24" comment="Created during import of line 266" ro="False" address="222.222.222.0" netmask="255.255.255.0"/> + <Network id="id23" name="net-192.168.2.0/255.255.255.0" comment="Created during import of line 18" ro="False" address="192.168.2.0" netmask="255.255.255.0"/> + <Network id="id24" name="net-192.168.0.0/255.255.0.0" comment="Created during import of line 85" ro="False" address="192.168.0.0" netmask="255.255.0.0"/> + <Network id="id25" name="net-128.143.0.0/255.255.0.0" comment="Created during import of line 92" ro="False" address="128.143.0.0" netmask="255.255.0.0"/> + <Network id="id26" name="net-1.1.0.0/255.255.0.0" comment="Created during import of line 98" ro="False" address="1.1.0.0" netmask="255.255.0.0"/> + <Network id="id27" name="net-192.168.19.0/255.255.255.0" comment="Created during import of line 105" ro="False" address="192.168.19.0" netmask="255.255.255.0"/> + <Network id="id28" name="net-192.168.1.0/255.255.255.0" comment="Created during import of line 257" ro="False" address="192.168.1.0" netmask="255.255.255.0"/> + <Network id="id29" name="net-192.168.1.32/255.255.255.224" comment="Created during import of line 259" ro="False" address="192.168.1.32" netmask="255.255.255.224"/> + <Network id="id30" name="net-222.222.222.0/255.255.255.0" comment="Created during import of line 266" ro="False" address="222.222.222.0" netmask="255.255.255.0"/> </ObjectGroup> <ObjectGroup id="id31" name="Address Ranges" comment="" ro="False"> <AddressRange id="id32" name="range-10.212.66.2-10.212.66.3" comment="Created during import of line 80" ro="False" start_address="10.212.66.2" end_address="10.212.66.3"/> diff --git a/src/unit_tests/ImporterTest/test_data/ipt.result b/src/unit_tests/ImporterTest/test_data/ipt.result index a6aeb2b..8d7a358 100644 --- a/src/unit_tests/ImporterTest/test_data/ipt.result +++ b/src/unit_tests/ImporterTest/test_data/ipt.result @@ -23,11 +23,7 @@ Created branch Policy_eth1 New interface: eth1 New interface: eth0 Warning: Line 42: Creating branch ruleset 'Policy_eth1' to match inbound and outbound interfaces -i eth0 -o eth1 -Warning: Line 69: Unknown parameter of target REJECT: icmp-foo-prohibited. -Warning: Line 70: Unknown parameter of target REJECT: foo-prohib. Warning: Line 103: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking. -Parser error: Line 150: Port spec foo is unknown -Parser error: Line 150: Port spec foo is unknown Created branch user_chain_42_mod_match Created branch user_chain_43_mod_match Created branch user_chain_44_mod_match ----------------------------------------------------------------------- Summary of changes: doc/ChangeLog | 11 ++- src/import/IPTImporter.cpp | 36 +++--- src/import/Importer.cpp | 8 +- src/import/PIXImporter.cpp | 14 +- src/import/addressObjectMaker.cpp | 107 +++++--------- src/import/addressObjectMaker.h | 7 +- src/import/getServByName.cpp | 165 ++++++++++++++-------- src/import/objectMaker.cpp | 55 +++++++- src/import/objectMaker.h | 4 + src/unit_tests/ImporterTest/test_data/ios.fwb | 6 +- src/unit_tests/ImporterTest/test_data/ios.result | 16 +- src/unit_tests/ImporterTest/test_data/ipt.fwb | 18 ++-- src/unit_tests/ImporterTest/test_data/ipt.result | 4 - 13 files changed, 267 insertions(+), 184 deletions(-) hooks/post-receive -- Firewall Builder GUI and Policy Compilers Open Source Code |