void NATCompiler_ipf::PrintRule::_printAddr_R(Address *o, bool print_netmask)
{
const InetAddr *addr = o->getAddressPtr();
// check for the case when dynamic interface is used in TSrc (or when
// interface in TSrc just has no IP address )
if (Interface::cast(o) != nullptr && (addr==nullptr || addr->isAny()))
{
compiler->output << "0/32 ";
return;
}
if (addr)
{
InetAddr mask = *(o->getNetmaskPtr)();
if (Interface::cast(o) != nullptr)
mask = InetAddr(InetAddr::getAllOnes());
if (o->dimension()==1)
mask = InetAddr(InetAddr::getAllOnes());
if (addr->isAny() && print_netmask && mask.isHostMask())
{
compiler->output << "0/32 ";
} else
{
compiler->output << addr->toString();
if (print_netmask)
compiler->output << "/" << mask.getLength();
compiler->output << " ";
}
}
}
void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask)
{
FWOptions* options=compiler->fw->getOptionsObject();
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
if (atrt!=nullptr)
{
if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME)
{
compiler->output << atrt->getSourceName() << " ";
return;
}
// at this time we only support two types of MultiAddress
// objects: AddressTable and DNSName. Both should be converted
// to MultiAddressRunTime at this point. If we get some other
// kind of MultiAddressRunTime object, we do not know what to do
// with it so we stop.
assert(atrt==nullptr);
}
if (Interface::cast(o)!=nullptr && Interface::cast(o)->isDyn())
{
if (options->getBool("dynAddr"))
compiler->output << "(" << o->getName() << ") ";
else
compiler->output << "any ";
return;
}
const InetAddr *addr = o->getAddressPtr();
if (addr)
{
InetAddr mask = *(o->getNetmaskPtr());
if (Interface::cast(o)!=nullptr && ! Interface::cast(o)->isDyn())
mask = InetAddr(InetAddr::getAllOnes());
if (o->dimension()==1)
mask = InetAddr(InetAddr::getAllOnes());
if (addr->isAny() && mask.isAny())
{
compiler->output << "any ";
} else
{
compiler->output << addr->toString();
if (print_netmask)
compiler->output << "/" << mask.getLength();
compiler->output << " ";
}
}
}
void NATCompiler_pf::PrintRule::_printAddr(FWObject *o)
{
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
if (atrt!=NULL)
{
if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME)
{
compiler->output << atrt->getSourceName() << " ";
return;
}
if (atrt->getSubstitutionTypeName()==AddressTable::TYPENAME)
{
compiler->output << "<" << o->getName() << "> ";
return;
}
if (atrt->getSubstitutionTypeName()==AttachedNetworks::TYPENAME)
{
compiler->output << atrt->getSourceName() << ":network ";
return ;
}
assert(atrt==NULL);
}
if (Interface::cast(o)!=NULL)
{
compiler->output << "(" << o->getName() << ") ";
return;
}
if (o->getBool("pf_table"))
{
compiler->output << "<" << o->getName() << "> ";
return;
}
Address *addr_obj = Address::cast(o);
assert(addr_obj!=NULL);
const InetAddr *addr = addr_obj->getAddressPtr();
if (addr)
{
InetAddr mask = *(addr_obj->getNetmaskPtr());
if (Interface::cast(o)!=NULL || Address::cast(o)->dimension()==1)
{
mask = InetAddr(InetAddr::getAllOnes());
}
if (addr->isAny() && mask.isAny())
{
compiler->output << "any ";
} else
{
compiler->output << addr->toString();
if (!mask.isHostMask())
{
compiler->output << "/" << mask.getLength();
}
compiler->output << " ";
}
}
}
string TableFactory::PrintTables()
{
if (tables.size() == 0) return "";
stringstream output;
output << endl;
output << "# Tables: (" << tables.size() << ")" << endl;
for (map<string,string>::const_iterator i=tblnames.begin();
i!=tblnames.end(); i++)
{
string tblID = i->second;
FWObject *grp = tables[tblID];
output << "table ";
output << "<" << grp->getName() << "> ";
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(grp);
if (atrt!=nullptr &&
atrt->getSubstitutionTypeName()==AddressTable::TYPENAME)
{
output << "persist";
if ( !atrt->getSourceName().empty() )
{
string path =
atrt->getSourceNameAsPath(firewall->getOptionsObject());
if (path.empty()) {
compiler->abort("Error: Firewall's data directory not set for address table: " + atrt->getName());
}
output << " file \"" << path << "\"";
}
output << endl;
continue;
}
output << "{ ";
for (FWObject::iterator i=grp->begin(); i!=grp->end(); i++)
{
if (i!=grp->begin()) output << ", ";
FWObject *o = FWReference::getObject(*i);
if (o==nullptr) compiler->abort("broken table object ");
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
if (atrt!=nullptr)
{
if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME)
{
output << atrt->getSourceName() << " ";
}
if (atrt->getSubstitutionTypeName()==AttachedNetworks::TYPENAME)
{
output << atrt->getSourceName() << ":network ";
}
} else
{
if (Interface::cast(o))
{
output << o->getName();
} else
{
Address *A=Address::cast( o );
if (A==nullptr)
compiler->abort("table object must be an address: '" +
o->getTypeName()+"'");
const InetAddr *addr = A->getAddressPtr();
InetAddr mask = *(A->getNetmaskPtr());
if (A->dimension()==1)
{
mask = InetAddr(InetAddr::getAllOnes());
}
output << addr->toString();
if (!mask.isHostMask())
{
output << "/" << mask.getLength();
}
}
}
output << " ";
}
output << "} ";
output << endl;
}
output << endl;
return output.str();
}
string PolicyCompiler_iosacl::PrintRule::_printAddr(Address *o)
{
PolicyCompiler_iosacl *iosacl_comp = dynamic_cast<PolicyCompiler_iosacl*>(compiler);
if (Interface::cast(o)!=NULL)
{
Interface *interface_ = Interface::cast(o);
if (interface_->isDyn())
{
return string("interface ") + interface_->getLabel() + " ";
}
}
ostringstream str;
const InetAddr *srcaddr = o->getAddressPtr();
if (srcaddr)
{
const InetAddr *nm = o->getNetmaskPtr();
InetAddr srcmask;
if (nm != NULL)
{
srcmask = *nm;
} else
{
cerr << "Address object "
<< o
<< " "
<< o->getName()
<< " (" << o->getTypeName() << ") "
<< " has no netmask"
<< endl;
srcmask = InetAddr(InetAddr::getAllOnes(srcaddr->addressFamily()));
}
// const InetAddr srcmask = *(o->getNetmaskPtr());
if (srcaddr->isAny() && srcmask.isAny())
{
str << "any ";
} else
{
if (Interface::cast(o)==NULL &&
Interface::cast(o->getParent())==NULL &&
o->dimension() > 1 &&
!srcmask.isHostMask())
{
if (iosacl_comp->ipv6)
{
str << srcaddr->toString()
<< "/"
<< srcmask.getLength() << " ";
} else
{
str << srcaddr->toString() << " ";
// cisco uses "wildcards" instead of netmasks
//long nm = srcmask.to32BitInt();
//struct in_addr na;
//na.s_addr = ~nm;
InetAddr nnm( ~srcmask );
str << nnm.toString() << " ";
}
} else
{
str << "host " << srcaddr->toString() << " ";
}
}
return str.str();
}
ostringstream errstr;
errstr << "Object "
<< o->getName()
<< " (id="
<< o->getId()
<< ") "
<< " has no ip address and can not be used "
<< "in the rule.";
compiler->abort(errstr.str());
return ""; // to make compiler happy
}