/*
* This is identical to
* PolicyCompiler_ipf::processMultiAddressObjectsInRE::processNext()
* TODO: move the code to the class Compiler so it can be reused.
*/
bool RoutingCompiler::processMultiAddressObjectsInRE::processNext()
{
RoutingRule *rule = getNext(); if (rule==NULL) return false;
RuleElement *re = RuleElement::cast( rule->getFirstByType(re_type) );
for (FWObject::iterator i=re->begin(); i!=re->end(); i++)
{
FWObject *o= *i;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME)
compiler->abort(
rule,
"Run-time AddressTable objects are not supported.");
AddressTable *at = AddressTable::cast(o);
if (at && at->isRunTime())
compiler->abort(
rule,
"Run-time AddressTable objects are not supported.");
}
tmp_queue.push_back(rule);
return true;
}
void PFImporter::addTDst()
{
NATRule *rule = NATRule::cast(current_rule);
RuleElement *re = rule->getTDst();
list<AddressSpec>::iterator it;
for (it=nat_group.begin(); it!=nat_group.end(); ++it)
{
FWObject *obj = makeAddressObj(*it);
if (obj) re->addRef(obj);
}
}
RuleElement *ComplexActionDialog::parseRuleTreeItem(QTreeWidgetItem *item)
{
int column = 0;
RuleElement *ruleElement = new RuleElement(item->text(column), QList<RuleElement *>()
, mWidgetItemCustomPropertyList.repeatCountByItem(item)
, mWidgetItemCustomPropertyList.isKeyActionByItem(item)
, mWidgetItemCustomPropertyList.durationByItem(item));
for (int i = 0; i < item->childCount(); ++i) {
ruleElement->addElementToList(parseRuleTreeItem(item->child(i)));
}
return ruleElement;
}
void PFImporter::addSrc()
{
PolicyRule *rule = PolicyRule::cast(current_rule);
RuleElement *re = rule->getSrc();
list<AddressSpec>::iterator it;
for (it=src_group.begin(); it!=src_group.end(); ++it)
{
FWObject *obj = makeAddressObj(*it);
if (obj) re->addRef(obj);
}
}
bool CreateObjectGroups::processNext()
{
Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false;
string version = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size()==1)
{
/* create object group if the object in the RE is AddressRange
* because IOS normally does not support ranges in ACLs, but
* supports them in groups
*/
FWObject *re_obj = FWReference::getObject(re->front());
if ( ! AddressRange::isA(re_obj))
{
tmp_queue.push_back(rule);
return true;
}
}
BaseObjectGroup *obj_group = findObjectGroup(re);
if (obj_group==NULL)
{
obj_group = named_objects_manager->createObjectGroup();
named_objects_manager->getObjectGroupsGroup()->add(obj_group);
packObjects(re, obj_group);
obj_group->setObjectGroupTypeFromMembers(named_objects_manager);
QStringList group_name_prefix;
group_name_prefix.push_back(rule->getUniqueId().c_str());
group_name_prefix.push_back(name_suffix.c_str());
QString reg_name = BaseObjectGroup::registerGroupName(
group_name_prefix.join("."),
obj_group->getObjectGroupType());
obj_group->setName(reg_name.toUtf8().constData());
} else
{
re->clearChildren(false); //do not want to destroy children objects
re->addRef(obj_group);
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_pf::splitIfInterfaceInRE::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) );
if (re->size()<=2)
{
tmp_queue.push_back(rule);
return true;
}
list<FWObject*> cl;
for (FWObject::iterator i=re->begin(); i!=re->end(); i++)
{
FWObject *o= *i;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
Interface *interface_=Interface::cast(o);
if (interface_!=NULL && interface_->isDyn())
cl.push_back(interface_);
}
if (!cl.empty())
{
RuleElement *nre;
PolicyRule *r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
nre=RuleElement::cast( r->getFirstByType(re_type) );
nre->clearChildren();
for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++)
nre->addRef( *i );
tmp_queue.push_back(r);
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
nre=RuleElement::cast( r->getFirstByType(re_type) );
for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++)
nre->removeRef( *i );
tmp_queue.push_back(r);
return true;
}
tmp_queue.push_back(rule);
return true;
}
void PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::action(
PolicyRule* policy_rule,
NATRule* nat_rule, Address*, Address *dst, Service*)
{
// FWObject *rule_iface = compiler->dbcopy->findInIndex(
// policy_rule->getInterfaceId());
RuleElementItf *intf_re = policy_rule->getItf();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
string version = compiler->fw->getStr("version");
RuleElement *re;
FWObject *o;
re = nat_rule->getODst();
o = FWReference::getObject(re->front());
Address *odst = Address::cast(o); assert(odst);
FWObject *p = odst->getParent();
if (odst->getId() == rule_iface->getId() ||
p->getId() == rule_iface->getId())
{
QString err("Object %1 that represents translated address in a NAT rule %2 "
"is used in a policy rule of ASA v%3 firewall. "
"Starting with v8.3, ASA requires using real IP addresses "
"in the firewall policy rules. ");
compiler->warning(
policy_rule,
err.arg(QString::fromUtf8(dst->getName().c_str()))
.arg(nat_rule->getLabel().c_str())
.arg(version.c_str()).toStdString());
}
}
bool SpecialServices::processNext()
{
PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler);
Rule *rule = prev_processor->getNextRule(); if (rule==nullptr) return false;
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size() == 0)
{
cerr << "Rule " << rule->getLabel()
<< "rule element " << re_type << " is empty" << endl;
assert(re->size() != 0);
}
FWObject *obj = FWReference::getObject(re->front());
Service *s = Service::cast(obj);
string version = compiler->fw->getStr("version");
if (IPService::cast(s)!=nullptr)
{
if (s->getBool("short_fragm") ||
s->getBool("fragm") )
{
if (pix_comp) pix_comp->fragguard = true;
return true; // do not copy the rule
}
if (s->getBool("rr") ||
s->getBool("ssrr") ||
s->getBool("ts") )
{
compiler->abort(
rule,
"PIX does not support checking for IP options in ACLs.");
return true;
}
}
if (TCPService::cast(s)!=nullptr)
{
if (s->getBool("ack_flag") ||
s->getBool("fin_flag") ||
s->getBool("rst_flag") ||
s->getBool("syn_flag") )
{
compiler->abort(
rule,
"PIX does not support checking for TCP options in ACLs.");
return true;
}
}
if (CustomService::cast(s)!=nullptr && pix_comp==nullptr)
{
compiler->abort(
rule,
"CustomService objects are not supported in NAT rules");
return true;
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_pf::processMultiAddressObjectsInRE::processNext()
{
PolicyCompiler_pf *pf_comp=dynamic_cast<PolicyCompiler_pf*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) );
bool neg = re->getNeg();
list<FWObject*> maddr_runtime;
try
{
for (FWObject::iterator i=re->begin(); i!=re->end(); i++)
{
FWObject *o= *i;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
if (atrt!=NULL &&
atrt->getSubstitutionTypeName()==AddressTable::TYPENAME)
{
if (re->size()>1 && neg)
{
compiler->abort(rule,
"AddressTable object can not be used "
"with negation in combination with "
"other objects in the same rule element.");
}
string tblname = o->getName();
string tblID = tblname + "_addressTableObject";
pf_comp->tables->registerTable(tblname,tblID,o);
o->setBool("pf_table",true);
maddr_runtime.push_back(o);
}
}
} catch(FWException &ex) // TableFactory::registerTable throws exception
{
string err;
err = "Can not process MultiAddress object: " + ex.toString();
compiler->abort(rule, err);
}
if (!maddr_runtime.empty())
{
RuleElement *nre;
for (FWObject::iterator i=maddr_runtime.begin(); i!=maddr_runtime.end(); i++)
{
PolicyRule *r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
nre=RuleElement::cast( r->getFirstByType(re_type) );
nre->clearChildren();
nre->addRef( *i );
tmp_queue.push_back(r);
}
for (FWObject::iterator i=maddr_runtime.begin(); i!=maddr_runtime.end(); i++)
re->removeRef( *i );
if (!re->isAny())
tmp_queue.push_back(rule);
return true;
}
tmp_queue.push_back(rule);
return true;
}
bool NATRule::isEmpty()
{
RuleElement *osrc = getOSrc();
RuleElement *odst = getODst();
RuleElement *osrv = getOSrv();
RuleElement *tsrc = getTSrc();
RuleElement *tdst = getTDst();
RuleElement *tsrv = getTSrv();
RuleElement *itf_inb = getItfInb();
RuleElement *itf_outb = getItfOutb();
return (osrc->isAny() && odst->isAny() && osrv->isAny() &&
tsrc->isAny() && tdst->isAny() && tsrv->isAny() &&
itf_inb->isAny() && itf_outb->isAny());
}
void PolicyCompiler_pix::replaceTranslatedAddresses::action(
PolicyRule* policy_rule,
NATRule* nat_rule, Address *src, Address*, Service *srv)
{
// FWObject *rule_iface = compiler->dbcopy->findInIndex(
// policy_rule->getInterfaceId());
RuleElementItf *intf_re = policy_rule->getItf();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
RuleElement *re = nat_rule->getOSrc();
FWObject *o = FWReference::getObject(re->front());
#ifndef NDEBUG
Address *osrc = Address::cast(o); assert(osrc);
#endif
re = nat_rule->getODst();
o = FWReference::getObject(re->front());
Address *odst = Address::cast(o); assert(odst);
re = nat_rule->getOSrv();
o = FWReference::getObject(re->front());
Service *osrv = Service::cast(o); assert(osrv);
#ifndef NDEBUG
re = nat_rule->getTSrc();
o = FWReference::getObject(re->front());
Address *tsrc = Address::cast(o); assert(tsrc);
re = nat_rule->getTDst();
o = FWReference::getObject(re->front());
Address *tdst = Address::cast(o); assert(tdst);
re = nat_rule->getTSrv();
o = FWReference::getObject(re->front());
Service *tsrv = Service::cast(o); assert(tsrv);
#endif
FWObject *p = odst->getParent();
if (odst->getId() == rule_iface->getId() ||
p->getId() == rule_iface->getId())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(policy_rule);
RuleElementSrc *nsrc = r->getSrc();
nsrc->clearChildren();
nsrc->addRef( src );
RuleElementDst *ndst = r->getDst();
ndst->clearChildren();
ndst->addRef( odst );
RuleElementSrv *nsrv = r->getSrv();
nsrv->clearChildren();
if (osrv->isAny())
nsrv->addRef( srv );
else
nsrv->addRef( osrv );
transformed_rules.push_back(r);
}
}
bool ProjectPanel::event(QEvent *event)
{
if (event->type() >= QEvent::User)
{
fwbUpdateEvent *ev = dynamic_cast<fwbUpdateEvent*>(event);
int event_code = event->type() - QEvent::User;
QString data_file = ev->getFileName();
int obj_id = ev->getObjectId();
FWObject *obj = db()->findInIndex(obj_id);
if (fwbdebug)
qDebug() << this
<< "rcs:"
<< rcs
<< "rcs->getFileName():"
<< QString((rcs!=NULL) ? rcs->getFileName() : "")
<< "file:"
<< data_file
<< "event:"
<< ev->getEventName()
<< "object:"
<< ((obj!=NULL) ? QString::fromUtf8(obj->getName().c_str()) : "")
<< "(" << ((obj!=NULL) ? obj->getTypeName().c_str() : "") << ")"
<< "id=" << ((obj!=NULL) ? obj->getId() : -1);
if (event_code == UPDATE_GUI_STATE_EVENT && mdiWindow != NULL)
{
m_panel->om->updateCreateObjectMenu(getCurrentLib());
ev->accept();
return true;
}
if ((rcs && rcs->getFileName() == data_file) ||
(!rcs && data_file.isEmpty()))
{
switch (event_code)
{
case RELOAD_OBJECT_TREE_EVENT:
registerTreeReloadRequest();
ev->accept();
return true;
case RELOAD_OBJECT_TREE_IMMEDIATELY_EVENT:
m_panel->om->reload();
ev->accept();
return true;
case RELOAD_RULESET_EVENT:
registerRuleSetRedrawRequest();
// update rule set title as well
//updateFirewallName();
ev->accept();
return true;
case MAKE_CURRENT_RULE_VISIBLE_IN_RULESET_EVENT:
{
RuleSetView* rsv = getCurrentRuleSetView();
if (rsv) rsv->makeCurrentRuleVisible();
ev->accept();
return true;
}
case RELOAD_RULESET_IMMEDIATELY_EVENT:
redrawRuleSets();
//reopenFirewall();
// update rule set title as well
//updateFirewallName();
ev->accept();
return true;
}
if (obj == NULL) return false;
switch (event_code)
{
case DATA_MODIFIED_EVENT:
{
// This event does not trigger any updates in the UI,
// this purely data structure update event.
FWObject *p = obj;
while (p && Firewall::cast(p)==NULL) p = p->getParent();
Firewall *f = Firewall::cast(p);
// when user locks firewall object, this code tries to
// update last_modified timestamp in it because it
// depends on itself. Dont.
if (f && !f->isReadOnly())
{
f->updateLastModifiedTimestamp();
QCoreApplication::postEvent(
mw, new updateObjectInTreeEvent(data_file, f->getId()));
}
registerModifiedObject(obj);
QCoreApplication::postEvent(mw, new updateGUIStateEvent());
ev->accept();
return true;
}
case UPDATE_OBJECT_EVERYWHERE_EVENT:
{
Rule *rule = NULL;
RuleSet* current_ruleset = NULL;
RuleSetView* rsv = getCurrentRuleSetView();
RuleSetModel* md = NULL;
if (rsv)
{
md = (RuleSetModel*)rsv->model();
current_ruleset = md->getRuleSet();
}
if (RuleElement::cast(obj)) rule = Rule::cast(obj->getParent());
if (Rule::cast(obj)) rule = Rule::cast(obj);
if (rule && current_ruleset && md && rule->isChildOf(current_ruleset))
{
md->rowChanged(md->index(rule, 0));
ev->accept();
return true;
}
if (rule)
{
QCoreApplication::postEvent(
this, new showObjectInRulesetEvent(data_file, obj_id));
ev->accept();
return true;
}
if (rsv) rsv->updateObject(obj);
if (Library::cast(obj))
{
m_panel->om->updateLibName(obj);
m_panel->om->updateLibColor(obj);
}
QCoreApplication::postEvent(
mw, new updateObjectInTreeEvent(data_file, obj_id));
// QCoreApplication::postEvent(
// this, new reloadRulesetEvent(data_file));
ev->accept();
return true;
}
case OBJECT_NAME_CHANGED_EVENT:
{
objectNameChangedEvent *name_change_event =
dynamic_cast<objectNameChangedEvent*>(event);
m_panel->om->updateObjectInTree(obj);
if (name_change_event->rename_children)
{
// This performs automatic renaming of child objects if necessary
m_panel->om->autoRenameChildren(obj, name_change_event->old_name);
}
ev->accept();
return true;
}
case UPDATE_LAST_COMPILED_TIMESTAMP_EVENT:
if (rcs && !rcs->isRO() &&
Firewall::cast(obj) && !obj->isReadOnly())
{
Firewall::cast(obj)->updateLastCompiledTimestamp();
QCoreApplication::postEvent(
mw, new updateObjectInTreeEvent(data_file, obj_id));
ev->accept();
return true;
}
break;
case UPDATE_LAST_INSTALLED_TIMESTAMP_EVENT:
if (rcs && !rcs->isRO() &&
Firewall::cast(obj) && !obj->isReadOnly())
{
Firewall::cast(obj)->updateLastInstalledTimestamp();
QCoreApplication::postEvent(
mw, new updateObjectInTreeEvent(data_file, obj_id));
ev->accept();
return true;
}
break;
}
// Events below this should only be processed if
// ProjectPanel has been attached to an MDI window. There
// is no MDI window right after project panel is created
// but some operations may already be performed. See
// FWWindow::fileOpen where ProjectPanel is cfeated and
// file is opened before MDI window is attached. So the UI
// update events below will only be processed if MDI
// window exists.
if (mdiWindow == NULL) return false;
switch (event->type() - QEvent::User)
{
case INSERT_OBJECT_IN_TREE_EVENT:
{
FWObject *parent =
db()->findInIndex(
dynamic_cast<insertObjectInTreeEvent*>(event)->parent_id);
m_panel->om->insertSubtree(parent, obj);
ev->accept();
return true;
}
case REMOVE_OBJECT_FROM_TREE_EVENT:
{
m_panel->om->removeObjectFromTreeView(obj);
ev->accept();
return true;
}
case ADD_TREE_PAGE_EVENT:
m_panel->om->addLib(obj);
ev->accept();
return true;
case REMOVE_TREE_PAGE_EVENT:
m_panel->om->removeLib(obj);
ev->accept();
return true;
case UPDATE_OBJECT_IN_TREE_EVENT:
registerObjectToUpdateInTree(obj, false);
ev->accept();
return true;
case UPDATE_OBJECT_AND_SUBTREE_IN_TREE_EVENT:
registerObjectToUpdateInTree(obj, true);
ev->accept();
return true;
case UPDATE_OBJECT_AND_SUBTREE_IMMEDIATELY_EVENT:
m_panel->om->updateObjectInTree(obj, true);
ev->accept();
return true;
case OPEN_RULESET_EVENT:
openRuleSet(obj);
// update rule set title as well
//updateFirewallName();
ev->accept();
return true;
case OPEN_RULESET_IMMEDIATELY_EVENT:
openRuleSet(obj, true);
// update rule set title as well
//updateFirewallName();
ev->accept();
return true;
case SELECT_RULE_ELEMENT_EVENT:
{
RuleSetView* rsv = getCurrentRuleSetView();
rsv->selectRE(Rule::cast(obj),
dynamic_cast<selectRuleElementEvent*>(event)->column_type);
rsv->setFocus(Qt::OtherFocusReason);
ev->accept();
return true;
}
case SHOW_OBJECT_IN_RULESET_EVENT:
{
// if obj is child of RuleElement (i.e. a reference object)
FWReference *ref = FWReference::cast(obj);
if (ref)
{
RuleSet* current_ruleset = NULL;
RuleSetView* rsv = getCurrentRuleSetView();
RuleSetModel* md = NULL;
if (rsv)
{
md = (RuleSetModel*)rsv->model();
current_ruleset = md->getRuleSet();
}
if (current_ruleset && obj->isChildOf(current_ruleset))
{
clearManipulatorFocus();
rsv->selectRE(ref);
rsv->setFocus(Qt::OtherFocusReason);
} else
{
FWObject *rs = obj;
while (rs && RuleSet::cast(rs)==NULL) rs = rs->getParent();
if (rs)
{
// reopen rule set right now, before we post event
// to show the object in it.
openRuleSet(rs);
QCoreApplication::postEvent(
this, new showObjectInRulesetEvent(data_file, obj_id));
}
}
ev->accept();
return true;
}
// if obj is RuleElement - select its first element
RuleElement *re = RuleElement::cast(obj);
if (re && re->size() > 0)
{
QCoreApplication::postEvent(
this, new showObjectInRulesetEvent(data_file, obj->front()->getId()));
ev->accept();
return true;
}
// if obj is Rule - select its comment (the only common rule element)
Rule *rule = Rule::cast(obj);
if (rule)
{
RuleSet* current_ruleset = NULL;
RuleSetView* rsv = getCurrentRuleSetView();
RuleSetModel* md = NULL;
if (rsv)
{
md = (RuleSetModel*)rsv->model();
current_ruleset = md->getRuleSet();
}
if (current_ruleset && rule->isChildOf(current_ruleset))
{
rsv->selectRE(rule, ColDesc::Comment);
rsv->setFocus(Qt::OtherFocusReason);
ev->accept();
return true;
} else
{
// this rule does not belong to the current ruleset
// reopen rule set right now, before we post event
// to show the object in it.
openRuleSet(rule->getParent(), true);
QCoreApplication::postEvent(
this, new showObjectInRulesetEvent(data_file, obj->getId()));
}
ev->accept();
return true;
}
ev->accept();
return true;
}
case SHOW_OBJECT_IN_TREE_EVENT:
//m_panel->om->setFocus();
m_panel->om->openObjectInTree(obj);
ev->accept();
return true;
case EXPAND_OBJECT_IN_TREE:
m_panel->om->expandObjectInTree(obj);
ev->accept();
return true;
case OPEN_LIBRARY_FOR_OBJECT_EVENT:
m_panel->om->openLibForObject(obj);
ev->accept();
return true;
case CLOSE_OBJECT_EVENT:
if (RuleSet::cast(obj))
{
if (visibleRuleSet == obj)
{
clearFirewallTabs();
closeRuleSet(obj);
}
} else
{
m_panel->om->closeObject();
mdiWindow->update();
}
ev->accept();
return true;
case ADD_USER_FOLDER_EVENT:
m_panel->om->addUserFolderToTree(obj, dynamic_cast<addUserFolderEvent *>(event)->m_userFolder);
ev->accept();
return true;
case REMOVE_USER_FOLDER_EVENT:
m_panel->om->removeUserFolderFromTree(obj, dynamic_cast<removeUserFolderEvent *>(event)->m_userFolder);
ev->accept();
return true;
case MOVE_TOFROM_USER_FOLDER_EVENT:
moveToFromUserFolderEvent *moveEvent =
dynamic_cast<moveToFromUserFolderEvent *>(event);
m_panel->om->moveToFromUserFolderInTree(obj, db()->findInIndex(moveEvent->m_objIdToMove), moveEvent->m_oldFolder, moveEvent->m_newFolder);
ev->accept();
return true;
}
}
return false;
}
//if (fwbdebug) qDebug() << this << "event:" << event;
return QWidget::event(event);
}
