bool PolicyCompiler_junosacl::checkIPv4FragmentService::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementSrv *srv = rule->getSrv();
if (srv->size() > 1)
{
CustomService *fragment_srv = NULL;
for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Service *s=Service::cast(obj);
assert(s!=NULL);
CustomService *custom_srv = CustomService::cast(s);
if (custom_srv && (!custom_srv->getCodeForPlatform(compiler->myPlatformName()).substr(0, 15).compare("fragment-offset")) ) {
if (!fragment_srv) {
fragment_srv = custom_srv;
} else {
if (fragment_srv->getId() != custom_srv->getId())
compiler->abort(
rule,
"You have contradicting IPv4 fragmentation services in the same rule.");
}
}
}
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_pf::addLoopbackForRedirect::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
PolicyCompiler_pf *pf_comp = dynamic_cast<PolicyCompiler_pf*>(compiler);
RuleElementDst *dst = rule->getDst();
RuleElementSrv *srv = rule->getSrv();
if (pf_comp->redirect_rules_info==NULL)
compiler->abort(
rule,
"addLoopbackForRedirect needs a valid pointer to "
"the list<NATCompiler_pf::redirectRuleInfo> object");
tmp_queue.push_back(rule);
if (pf_comp->redirect_rules_info->empty()) return true;
for (FWObject::iterator i=srv->begin(); i!=srv->end(); i++)
{
FWObject *o1 = FWReference::getObject(*i);
Service *s = Service::cast( o1 );
assert(s);
for (FWObject::iterator j=dst->begin(); j!=dst->end(); j++)
{
FWObject *o2 = FWReference::getObject(*j);
if (o2->getName() == "self" && DNSName::isA(o2)) continue;
Address *a = Address::cast( o2 );
assert(a);
list<NATCompiler_pf::redirectRuleInfo>::const_iterator k;
for (k=pf_comp->redirect_rules_info->begin();
k!=pf_comp->redirect_rules_info->end(); ++k)
{
Address *old_tdst_obj = Address::cast(
compiler->dbcopy->findInIndex(k->old_tdst));
Service *tsrv_obj = Service::cast(
compiler->dbcopy->findInIndex(k->tsrv));
if ( *a == *(old_tdst_obj) && *s == *(tsrv_obj) )
{
// insert address used for redirection in the NAT rule.
FWObject *new_tdst_obj = compiler->dbcopy->findInIndex(k->new_tdst);
dst->addRef(new_tdst_obj);
return true;
}
}
}
}
return true;
}
bool PolicyCompiler_junosacl::mirrorRule::processNext()
{
//PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
if (rule->getOptionsObject()->getBool("iosacl_add_mirror_rule"))
{
PolicyRule *r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setAction(rule->getAction());
switch (rule->getDirection())
{
case PolicyRule::Inbound: r->setDirection(PolicyRule::Outbound); break;
case PolicyRule::Outbound: r->setDirection(PolicyRule::Inbound); break;
default: r->setDirection(PolicyRule::Both); break;
}
RuleElementSrc *osrc = rule->getSrc();
RuleElementDst *odst = rule->getDst();
RuleElementSrv *osrv = rule->getSrv();
RuleElementItf *oitf = rule->getItf();
RuleElementSrc *nsrc = r->getSrc();
RuleElementDst *ndst = r->getDst();
RuleElementSrv *nsrv = r->getSrv();
RuleElementItf *nitf = r->getItf();
duplicateRuleElement(osrc, ndst);
duplicateRuleElement(odst, nsrc);
duplicateRuleElement(oitf, nitf);
if (!osrv->isAny())
{
ObjectMirror mirror;
nsrv->clearChildren();
for (list<FWObject*>::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1)
{
Service *nobj = mirror.getMirroredService(
Service::cast(FWReference::getObject(*i1)));
if (nobj->getParent() == NULL)
compiler->persistent_objects->add(nobj, false);
nsrv->addRef(nobj);
}
}
tmp_queue.push_back(r);
}
tmp_queue.push_back(rule);
return true;
}
/*
* This rule processor is used to separate TCP service objects that
* match tcp flags when generated config uses object-group clause
*/
bool PolicyCompiler_junosacl::splitTCPServiceWithFlags::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementSrv *srv = rule->getSrv();
if (srv->size() > 1)
{
std::list<FWObject*> cl;
for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Service *s=Service::cast(obj);
assert(s!=NULL);
TCPService *tcp_srv = TCPService::cast(s);
if (tcp_srv && (tcp_srv->inspectFlags() || tcp_srv->getEstablished()))
cl.push_back(s);
}
while (!cl.empty())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
RuleElementSrv *nsrv = r->getSrv();
nsrv->clearChildren();
nsrv->addRef( cl.front() );
tmp_queue.push_back(r);
srv->removeRef( cl.front() );
cl.pop_front();
}
if (srv->size()>0) tmp_queue.push_back(rule);
} else
tmp_queue.push_back(rule);
return true;
}
string PolicyCompiler::debugPrintRule(Rule *r)
{
PolicyRule *rule=PolicyRule::cast(r);
// FWOptions *ruleopt =rule->getOptionsObject();
RuleElementSrc *srcrel = rule->getSrc();
RuleElementDst *dstrel = rule->getDst();
RuleElementSrv *srvrel = rule->getSrv();
RuleElementItf *itfrel = rule->getItf();
// int iface_id = rule->getInterfaceId();
// Interface *rule_iface = Interface::cast(dbcopy->findInIndex(iface_id));
ostringstream str;
// str << setw(70) << setfill('-') << "-";
int no=0;
FWObject::iterator i1=srcrel->begin();
FWObject::iterator i2=dstrel->begin();
FWObject::iterator i3=srvrel->begin();
FWObject::iterator i4=itfrel->begin();
while ( i1!=srcrel->end() || i2!=dstrel->end() || i3!=srvrel->end() ||
i4!=itfrel->end())
{
str << endl;
string src=" ";
string dst=" ";
string srv=" ";
string itf=" ";
int src_id = -1;
int dst_id = -1;
int srv_id = -1;
if (srcrel->getNeg()) src = "!";
if (dstrel->getNeg()) dst = "!";
if (srvrel->getNeg()) srv = "!";
if (itfrel->getNeg()) itf = "!";
if (i1!=srcrel->end())
{
FWObject *o = FWReference::getObject(*i1);
src += o->getName();
src_id = o->getId();
}
if (i2!=dstrel->end())
{
FWObject *o = FWReference::getObject(*i2);
dst += o->getName();
dst_id = o->getId();
}
if (i3!=srvrel->end())
{
FWObject *o = FWReference::getObject(*i3);
srv += o->getName();
srv_id = o->getId();
}
if (i4!=itfrel->end())
{
ostringstream str;
FWObject *o = FWReference::getObject(*i4);
str << o->getName() << "(" << o->getId() << ")";
itf += str.str();
}
int w = 0;
if (no==0)
{
str << rule->getLabel();
w = rule->getLabel().length();
}
str << setw(10-w) << setfill(' ') << " ";
str << setw(18) << setfill(' ') << src.c_str() << "(" << src_id << ")";
str << setw(18) << setfill(' ') << dst.c_str() << "(" << dst_id << ")";
str << setw(12) << setfill(' ') << srv.c_str() << "(" << srv_id << ")";
str << setw(8) << setfill(' ') << itf.c_str();
if (no==0)
{
str << setw(9) << setfill(' ') << rule->getActionAsString().c_str();
str << setw(12) << setfill(' ') << rule->getDirectionAsString().c_str();
if (rule->getLogging()) str << " LOG";
} else
str << setw(18) << setfill(' ') << " ";
++no;
if ( i1!=srcrel->end() ) ++i1;
if ( i2!=dstrel->end() ) ++i2;
if ( i3!=srvrel->end() ) ++i3;
if ( i4!=itfrel->end() ) ++i4;
}
return str.str();
}
bool PolicyCompiler_pix::matchTranslatedAddresses::processNext()
{
PolicyRule *rule = getNext(); if (rule==nullptr) return false;
string version = compiler->fw->getStr("version");
transformed_rules.clear();
RuleElementSrc *srcrel = rule->getSrc();
RuleElementDst *dstrel = rule->getDst();
RuleElementSrv *srvrel = rule->getSrv();
for (list<FWObject*>::iterator i1=srcrel->begin(); i1!=srcrel->end(); ++i1)
{
for (list<FWObject*>::iterator i2=dstrel->begin(); i2!=dstrel->end(); ++i2)
{
for (list<FWObject*>::iterator i3=srvrel->begin(); i3!=srvrel->end(); ++i3)
{
FWObject *o1 = *i1;
FWObject *o2 = *i2;
FWObject *o3 = *i3;
FWObject *obj1 = nullptr;
FWObject *obj2 = nullptr;
FWObject *obj3 = nullptr;
obj1 = FWReference::getObject(o1);
Address *src = Address::cast(obj1);
assert(src!=nullptr);
obj2 = FWReference::getObject(o2);
Address *dst = Address::cast(obj2);
assert(dst!=nullptr);
obj3 = FWReference::getObject(o3);
Service *srv = Service::cast(obj3);
assert(srv!=nullptr);
list<NATRule*> tl = findMatchingNATRules(src, dst, srv);
for( list<NATRule*>::iterator t=tl.begin(); t!=tl.end(); ++t)
action(rule, *t, src, dst, srv);
}
}
}
/*
*list transformed_rules has all the atomic rules that have a matching
* NAT rule, with dst and srv already converted. We just add them to
* the policy on top of the original rule.
*/
list<PolicyRule*>::iterator i1;
for (i1=transformed_rules.begin(); i1!=transformed_rules.end(); ++i1)
{
PolicyRule *r=PolicyRule::cast( *i1 );
tmp_queue.push_back(r);
}
tmp_queue.push_back(rule);
return true;
}