/* * This is identical to * PolicyCompiler_ipf::processMultiAddressObjectsInRE::processNext() * TODO: move the code to the class Compiler so it can be reused. */ bool RoutingCompiler::processMultiAddressObjectsInRE::processNext() { RoutingRule *rule = getNext(); if (rule==NULL) return false; RuleElement *re = RuleElement::cast( rule->getFirstByType(re_type) ); for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) compiler->abort( rule, "Run-time AddressTable objects are not supported."); AddressTable *at = AddressTable::cast(o); if (at && at->isRunTime()) compiler->abort( rule, "Run-time AddressTable objects are not supported."); } tmp_queue.push_back(rule); return true; }
void PFImporter::addTDst() { NATRule *rule = NATRule::cast(current_rule); RuleElement *re = rule->getTDst(); list<AddressSpec>::iterator it; for (it=nat_group.begin(); it!=nat_group.end(); ++it) { FWObject *obj = makeAddressObj(*it); if (obj) re->addRef(obj); } }
RuleElement *ComplexActionDialog::parseRuleTreeItem(QTreeWidgetItem *item) { int column = 0; RuleElement *ruleElement = new RuleElement(item->text(column), QList<RuleElement *>() , mWidgetItemCustomPropertyList.repeatCountByItem(item) , mWidgetItemCustomPropertyList.isKeyActionByItem(item) , mWidgetItemCustomPropertyList.durationByItem(item)); for (int i = 0; i < item->childCount(); ++i) { ruleElement->addElementToList(parseRuleTreeItem(item->child(i))); } return ruleElement; }
void PFImporter::addSrc() { PolicyRule *rule = PolicyRule::cast(current_rule); RuleElement *re = rule->getSrc(); list<AddressSpec>::iterator it; for (it=src_group.begin(); it!=src_group.end(); ++it) { FWObject *obj = makeAddressObj(*it); if (obj) re->addRef(obj); } }
bool CreateObjectGroups::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; string version = compiler->fw->getStr("version"); string platform = compiler->fw->getStr("platform"); RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); if (re->size()==1) { /* create object group if the object in the RE is AddressRange * because IOS normally does not support ranges in ACLs, but * supports them in groups */ FWObject *re_obj = FWReference::getObject(re->front()); if ( ! AddressRange::isA(re_obj)) { tmp_queue.push_back(rule); return true; } } BaseObjectGroup *obj_group = findObjectGroup(re); if (obj_group==NULL) { obj_group = named_objects_manager->createObjectGroup(); named_objects_manager->getObjectGroupsGroup()->add(obj_group); packObjects(re, obj_group); obj_group->setObjectGroupTypeFromMembers(named_objects_manager); QStringList group_name_prefix; group_name_prefix.push_back(rule->getUniqueId().c_str()); group_name_prefix.push_back(name_suffix.c_str()); QString reg_name = BaseObjectGroup::registerGroupName( group_name_prefix.join("."), obj_group->getObjectGroupType()); obj_group->setName(reg_name.toUtf8().constData()); } else { re->clearChildren(false); //do not want to destroy children objects re->addRef(obj_group); } tmp_queue.push_back(rule); return true; }
bool PolicyCompiler_pf::splitIfInterfaceInRE::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); if (re->size()<=2) { tmp_queue.push_back(rule); return true; } list<FWObject*> cl; for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); Interface *interface_=Interface::cast(o); if (interface_!=NULL && interface_->isDyn()) cl.push_back(interface_); } if (!cl.empty()) { RuleElement *nre; PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nre=RuleElement::cast( r->getFirstByType(re_type) ); nre->clearChildren(); for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++) nre->addRef( *i ); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nre=RuleElement::cast( r->getFirstByType(re_type) ); for (FWObject::iterator i=cl.begin(); i!=cl.end(); i++) nre->removeRef( *i ); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; }
void PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::action( PolicyRule* policy_rule, NATRule* nat_rule, Address*, Address *dst, Service*) { // FWObject *rule_iface = compiler->dbcopy->findInIndex( // policy_rule->getInterfaceId()); RuleElementItf *intf_re = policy_rule->getItf(); FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); string version = compiler->fw->getStr("version"); RuleElement *re; FWObject *o; re = nat_rule->getODst(); o = FWReference::getObject(re->front()); Address *odst = Address::cast(o); assert(odst); FWObject *p = odst->getParent(); if (odst->getId() == rule_iface->getId() || p->getId() == rule_iface->getId()) { QString err("Object %1 that represents translated address in a NAT rule %2 " "is used in a policy rule of ASA v%3 firewall. " "Starting with v8.3, ASA requires using real IP addresses " "in the firewall policy rules. "); compiler->warning( policy_rule, err.arg(QString::fromUtf8(dst->getName().c_str())) .arg(nat_rule->getLabel().c_str()) .arg(version.c_str()).toStdString()); } }
bool SpecialServices::processNext() { PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler); Rule *rule = prev_processor->getNextRule(); if (rule==nullptr) return false; RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); if (re->size() == 0) { cerr << "Rule " << rule->getLabel() << "rule element " << re_type << " is empty" << endl; assert(re->size() != 0); } FWObject *obj = FWReference::getObject(re->front()); Service *s = Service::cast(obj); string version = compiler->fw->getStr("version"); if (IPService::cast(s)!=nullptr) { if (s->getBool("short_fragm") || s->getBool("fragm") ) { if (pix_comp) pix_comp->fragguard = true; return true; // do not copy the rule } if (s->getBool("rr") || s->getBool("ssrr") || s->getBool("ts") ) { compiler->abort( rule, "PIX does not support checking for IP options in ACLs."); return true; } } if (TCPService::cast(s)!=nullptr) { if (s->getBool("ack_flag") || s->getBool("fin_flag") || s->getBool("rst_flag") || s->getBool("syn_flag") ) { compiler->abort( rule, "PIX does not support checking for TCP options in ACLs."); return true; } } if (CustomService::cast(s)!=nullptr && pix_comp==nullptr) { compiler->abort( rule, "CustomService objects are not supported in NAT rules"); return true; } tmp_queue.push_back(rule); return true; }
bool PolicyCompiler_pf::processMultiAddressObjectsInRE::processNext() { PolicyCompiler_pf *pf_comp=dynamic_cast<PolicyCompiler_pf*>(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); bool neg = re->getNeg(); list<FWObject*> maddr_runtime; try { for (FWObject::iterator i=re->begin(); i!=re->end(); i++) { FWObject *o= *i; if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME) { if (re->size()>1 && neg) { compiler->abort(rule, "AddressTable object can not be used " "with negation in combination with " "other objects in the same rule element."); } string tblname = o->getName(); string tblID = tblname + "_addressTableObject"; pf_comp->tables->registerTable(tblname,tblID,o); o->setBool("pf_table",true); maddr_runtime.push_back(o); } } } catch(FWException &ex) // TableFactory::registerTable throws exception { string err; err = "Can not process MultiAddress object: " + ex.toString(); compiler->abort(rule, err); } if (!maddr_runtime.empty()) { RuleElement *nre; for (FWObject::iterator i=maddr_runtime.begin(); i!=maddr_runtime.end(); i++) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nre=RuleElement::cast( r->getFirstByType(re_type) ); nre->clearChildren(); nre->addRef( *i ); tmp_queue.push_back(r); } for (FWObject::iterator i=maddr_runtime.begin(); i!=maddr_runtime.end(); i++) re->removeRef( *i ); if (!re->isAny()) tmp_queue.push_back(rule); return true; } tmp_queue.push_back(rule); return true; }
bool NATRule::isEmpty() { RuleElement *osrc = getOSrc(); RuleElement *odst = getODst(); RuleElement *osrv = getOSrv(); RuleElement *tsrc = getTSrc(); RuleElement *tdst = getTDst(); RuleElement *tsrv = getTSrv(); RuleElement *itf_inb = getItfInb(); RuleElement *itf_outb = getItfOutb(); return (osrc->isAny() && odst->isAny() && osrv->isAny() && tsrc->isAny() && tdst->isAny() && tsrv->isAny() && itf_inb->isAny() && itf_outb->isAny()); }
void PolicyCompiler_pix::replaceTranslatedAddresses::action( PolicyRule* policy_rule, NATRule* nat_rule, Address *src, Address*, Service *srv) { // FWObject *rule_iface = compiler->dbcopy->findInIndex( // policy_rule->getInterfaceId()); RuleElementItf *intf_re = policy_rule->getItf(); FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); RuleElement *re = nat_rule->getOSrc(); FWObject *o = FWReference::getObject(re->front()); #ifndef NDEBUG Address *osrc = Address::cast(o); assert(osrc); #endif re = nat_rule->getODst(); o = FWReference::getObject(re->front()); Address *odst = Address::cast(o); assert(odst); re = nat_rule->getOSrv(); o = FWReference::getObject(re->front()); Service *osrv = Service::cast(o); assert(osrv); #ifndef NDEBUG re = nat_rule->getTSrc(); o = FWReference::getObject(re->front()); Address *tsrc = Address::cast(o); assert(tsrc); re = nat_rule->getTDst(); o = FWReference::getObject(re->front()); Address *tdst = Address::cast(o); assert(tdst); re = nat_rule->getTSrv(); o = FWReference::getObject(re->front()); Service *tsrv = Service::cast(o); assert(tsrv); #endif FWObject *p = odst->getParent(); if (odst->getId() == rule_iface->getId() || p->getId() == rule_iface->getId()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(policy_rule); RuleElementSrc *nsrc = r->getSrc(); nsrc->clearChildren(); nsrc->addRef( src ); RuleElementDst *ndst = r->getDst(); ndst->clearChildren(); ndst->addRef( odst ); RuleElementSrv *nsrv = r->getSrv(); nsrv->clearChildren(); if (osrv->isAny()) nsrv->addRef( srv ); else nsrv->addRef( osrv ); transformed_rules.push_back(r); } }
bool ProjectPanel::event(QEvent *event) { if (event->type() >= QEvent::User) { fwbUpdateEvent *ev = dynamic_cast<fwbUpdateEvent*>(event); int event_code = event->type() - QEvent::User; QString data_file = ev->getFileName(); int obj_id = ev->getObjectId(); FWObject *obj = db()->findInIndex(obj_id); if (fwbdebug) qDebug() << this << "rcs:" << rcs << "rcs->getFileName():" << QString((rcs!=NULL) ? rcs->getFileName() : "") << "file:" << data_file << "event:" << ev->getEventName() << "object:" << ((obj!=NULL) ? QString::fromUtf8(obj->getName().c_str()) : "") << "(" << ((obj!=NULL) ? obj->getTypeName().c_str() : "") << ")" << "id=" << ((obj!=NULL) ? obj->getId() : -1); if (event_code == UPDATE_GUI_STATE_EVENT && mdiWindow != NULL) { m_panel->om->updateCreateObjectMenu(getCurrentLib()); ev->accept(); return true; } if ((rcs && rcs->getFileName() == data_file) || (!rcs && data_file.isEmpty())) { switch (event_code) { case RELOAD_OBJECT_TREE_EVENT: registerTreeReloadRequest(); ev->accept(); return true; case RELOAD_OBJECT_TREE_IMMEDIATELY_EVENT: m_panel->om->reload(); ev->accept(); return true; case RELOAD_RULESET_EVENT: registerRuleSetRedrawRequest(); // update rule set title as well //updateFirewallName(); ev->accept(); return true; case MAKE_CURRENT_RULE_VISIBLE_IN_RULESET_EVENT: { RuleSetView* rsv = getCurrentRuleSetView(); if (rsv) rsv->makeCurrentRuleVisible(); ev->accept(); return true; } case RELOAD_RULESET_IMMEDIATELY_EVENT: redrawRuleSets(); //reopenFirewall(); // update rule set title as well //updateFirewallName(); ev->accept(); return true; } if (obj == NULL) return false; switch (event_code) { case DATA_MODIFIED_EVENT: { // This event does not trigger any updates in the UI, // this purely data structure update event. FWObject *p = obj; while (p && Firewall::cast(p)==NULL) p = p->getParent(); Firewall *f = Firewall::cast(p); // when user locks firewall object, this code tries to // update last_modified timestamp in it because it // depends on itself. Dont. if (f && !f->isReadOnly()) { f->updateLastModifiedTimestamp(); QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(data_file, f->getId())); } registerModifiedObject(obj); QCoreApplication::postEvent(mw, new updateGUIStateEvent()); ev->accept(); return true; } case UPDATE_OBJECT_EVERYWHERE_EVENT: { Rule *rule = NULL; RuleSet* current_ruleset = NULL; RuleSetView* rsv = getCurrentRuleSetView(); RuleSetModel* md = NULL; if (rsv) { md = (RuleSetModel*)rsv->model(); current_ruleset = md->getRuleSet(); } if (RuleElement::cast(obj)) rule = Rule::cast(obj->getParent()); if (Rule::cast(obj)) rule = Rule::cast(obj); if (rule && current_ruleset && md && rule->isChildOf(current_ruleset)) { md->rowChanged(md->index(rule, 0)); ev->accept(); return true; } if (rule) { QCoreApplication::postEvent( this, new showObjectInRulesetEvent(data_file, obj_id)); ev->accept(); return true; } if (rsv) rsv->updateObject(obj); if (Library::cast(obj)) { m_panel->om->updateLibName(obj); m_panel->om->updateLibColor(obj); } QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(data_file, obj_id)); // QCoreApplication::postEvent( // this, new reloadRulesetEvent(data_file)); ev->accept(); return true; } case OBJECT_NAME_CHANGED_EVENT: { objectNameChangedEvent *name_change_event = dynamic_cast<objectNameChangedEvent*>(event); m_panel->om->updateObjectInTree(obj); if (name_change_event->rename_children) { // This performs automatic renaming of child objects if necessary m_panel->om->autoRenameChildren(obj, name_change_event->old_name); } ev->accept(); return true; } case UPDATE_LAST_COMPILED_TIMESTAMP_EVENT: if (rcs && !rcs->isRO() && Firewall::cast(obj) && !obj->isReadOnly()) { Firewall::cast(obj)->updateLastCompiledTimestamp(); QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(data_file, obj_id)); ev->accept(); return true; } break; case UPDATE_LAST_INSTALLED_TIMESTAMP_EVENT: if (rcs && !rcs->isRO() && Firewall::cast(obj) && !obj->isReadOnly()) { Firewall::cast(obj)->updateLastInstalledTimestamp(); QCoreApplication::postEvent( mw, new updateObjectInTreeEvent(data_file, obj_id)); ev->accept(); return true; } break; } // Events below this should only be processed if // ProjectPanel has been attached to an MDI window. There // is no MDI window right after project panel is created // but some operations may already be performed. See // FWWindow::fileOpen where ProjectPanel is cfeated and // file is opened before MDI window is attached. So the UI // update events below will only be processed if MDI // window exists. if (mdiWindow == NULL) return false; switch (event->type() - QEvent::User) { case INSERT_OBJECT_IN_TREE_EVENT: { FWObject *parent = db()->findInIndex( dynamic_cast<insertObjectInTreeEvent*>(event)->parent_id); m_panel->om->insertSubtree(parent, obj); ev->accept(); return true; } case REMOVE_OBJECT_FROM_TREE_EVENT: { m_panel->om->removeObjectFromTreeView(obj); ev->accept(); return true; } case ADD_TREE_PAGE_EVENT: m_panel->om->addLib(obj); ev->accept(); return true; case REMOVE_TREE_PAGE_EVENT: m_panel->om->removeLib(obj); ev->accept(); return true; case UPDATE_OBJECT_IN_TREE_EVENT: registerObjectToUpdateInTree(obj, false); ev->accept(); return true; case UPDATE_OBJECT_AND_SUBTREE_IN_TREE_EVENT: registerObjectToUpdateInTree(obj, true); ev->accept(); return true; case UPDATE_OBJECT_AND_SUBTREE_IMMEDIATELY_EVENT: m_panel->om->updateObjectInTree(obj, true); ev->accept(); return true; case OPEN_RULESET_EVENT: openRuleSet(obj); // update rule set title as well //updateFirewallName(); ev->accept(); return true; case OPEN_RULESET_IMMEDIATELY_EVENT: openRuleSet(obj, true); // update rule set title as well //updateFirewallName(); ev->accept(); return true; case SELECT_RULE_ELEMENT_EVENT: { RuleSetView* rsv = getCurrentRuleSetView(); rsv->selectRE(Rule::cast(obj), dynamic_cast<selectRuleElementEvent*>(event)->column_type); rsv->setFocus(Qt::OtherFocusReason); ev->accept(); return true; } case SHOW_OBJECT_IN_RULESET_EVENT: { // if obj is child of RuleElement (i.e. a reference object) FWReference *ref = FWReference::cast(obj); if (ref) { RuleSet* current_ruleset = NULL; RuleSetView* rsv = getCurrentRuleSetView(); RuleSetModel* md = NULL; if (rsv) { md = (RuleSetModel*)rsv->model(); current_ruleset = md->getRuleSet(); } if (current_ruleset && obj->isChildOf(current_ruleset)) { clearManipulatorFocus(); rsv->selectRE(ref); rsv->setFocus(Qt::OtherFocusReason); } else { FWObject *rs = obj; while (rs && RuleSet::cast(rs)==NULL) rs = rs->getParent(); if (rs) { // reopen rule set right now, before we post event // to show the object in it. openRuleSet(rs); QCoreApplication::postEvent( this, new showObjectInRulesetEvent(data_file, obj_id)); } } ev->accept(); return true; } // if obj is RuleElement - select its first element RuleElement *re = RuleElement::cast(obj); if (re && re->size() > 0) { QCoreApplication::postEvent( this, new showObjectInRulesetEvent(data_file, obj->front()->getId())); ev->accept(); return true; } // if obj is Rule - select its comment (the only common rule element) Rule *rule = Rule::cast(obj); if (rule) { RuleSet* current_ruleset = NULL; RuleSetView* rsv = getCurrentRuleSetView(); RuleSetModel* md = NULL; if (rsv) { md = (RuleSetModel*)rsv->model(); current_ruleset = md->getRuleSet(); } if (current_ruleset && rule->isChildOf(current_ruleset)) { rsv->selectRE(rule, ColDesc::Comment); rsv->setFocus(Qt::OtherFocusReason); ev->accept(); return true; } else { // this rule does not belong to the current ruleset // reopen rule set right now, before we post event // to show the object in it. openRuleSet(rule->getParent(), true); QCoreApplication::postEvent( this, new showObjectInRulesetEvent(data_file, obj->getId())); } ev->accept(); return true; } ev->accept(); return true; } case SHOW_OBJECT_IN_TREE_EVENT: //m_panel->om->setFocus(); m_panel->om->openObjectInTree(obj); ev->accept(); return true; case EXPAND_OBJECT_IN_TREE: m_panel->om->expandObjectInTree(obj); ev->accept(); return true; case OPEN_LIBRARY_FOR_OBJECT_EVENT: m_panel->om->openLibForObject(obj); ev->accept(); return true; case CLOSE_OBJECT_EVENT: if (RuleSet::cast(obj)) { if (visibleRuleSet == obj) { clearFirewallTabs(); closeRuleSet(obj); } } else { m_panel->om->closeObject(); mdiWindow->update(); } ev->accept(); return true; case ADD_USER_FOLDER_EVENT: m_panel->om->addUserFolderToTree(obj, dynamic_cast<addUserFolderEvent *>(event)->m_userFolder); ev->accept(); return true; case REMOVE_USER_FOLDER_EVENT: m_panel->om->removeUserFolderFromTree(obj, dynamic_cast<removeUserFolderEvent *>(event)->m_userFolder); ev->accept(); return true; case MOVE_TOFROM_USER_FOLDER_EVENT: moveToFromUserFolderEvent *moveEvent = dynamic_cast<moveToFromUserFolderEvent *>(event); m_panel->om->moveToFromUserFolderInTree(obj, db()->findInIndex(moveEvent->m_objIdToMove), moveEvent->m_oldFolder, moveEvent->m_newFolder); ev->accept(); return true; } } return false; } //if (fwbdebug) qDebug() << this << "event:" << event; return QWidget::event(event); }