string RoutingCompiler_iosacl::PrintRule::_printRItf(RoutingRule *rule)
{
RuleElementRItf *itfrel = rule->getRItf();
if (!itfrel->isAny())
{
Interface *itf =
Interface::cast(FWObjectReference::getObject(itfrel->front()));
if (itf != nullptr) return itf->getName() + " ";
}
return "";
}
bool RoutingCompiler_iosacl::checkRItfAndGw::processNext()
{
RoutingRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
RuleElementRItf *itfrel = rule->getRItf(); assert(itfrel);
RuleElementRGtw *gtwrel = rule->getRGtw(); assert(gtwrel);
if (!itfrel->isAny() && !gtwrel->isAny())
compiler->abort(rule, "Can not use both gateway address and interface in "
"IOS routing rule");
return true;
}
bool RoutingCompiler::interfaceOrGateway::processNext()
{
RoutingRule *rule = getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
RuleElementRItf *itfrel = rule->getRItf();
RuleElementRGtw *gtwrel = rule->getRGtw();
if (!itfrel->isAny() && !gtwrel->isAny())
{
compiler->abort(rule,
"Use either gateway or interface in a routing rule "
"but not both at the same time");
}
return true;
}
bool RoutingCompiler_pix::emptyRDstOrRItf::processNext()
{
RoutingRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
RuleElementRGtw *gtwrel = rule->getRGtw();
RuleElementRItf *itfrel = rule->getRItf();
if (itfrel->isAny() || gtwrel->isAny())
{
compiler->abort(
rule,
"Interface and gateway rule elements can not be empty in "
"the PIX routing rule");
}
return true;
}
bool RoutingCompiler::rItfChildOfFw::processNext()
{
RoutingRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
RuleElementRItf *itfrel = rule->getRItf();
if (itfrel->isAny()) return true;
FWObject *o = FWReference::cast(itfrel->front())->getPointer();
// the interface is not a child of the firewall. Could be
// cluster interface though. In that case make sure the
// firewall is a member of that cluster.
Interface *iface = Interface::cast(o);
if (iface)
{
FWObject *parent = Host::getParentHost(iface);
//FWObject *parent = iface->getParentHost();
if (parent->getId() == compiler->fw->getId()) return true;
Cluster *cluster = Cluster::cast(parent);
if (cluster)
{
list<Firewall*> members;
cluster->getMembersList(members);
list<Firewall*>::iterator it;
for (it=members.begin(); it!=members.end(); ++it)
{
if ((*it)->getId() == compiler->fw->getId()) return true;
}
}
}
string msg;
msg = "Object \"" + o->getName() +
"\" used as interface in the routing rule " +
rule->getLabel() +
" is not a child of the firewall the rule belongs to";
compiler->abort(rule, msg.c_str());
// even though we call abort() here, it does not actually stop the
// program if it runs in the test mode.
return true;
}