bool CreateObjectGroups::processNext() { Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; string version = compiler->fw->getStr("version"); string platform = compiler->fw->getStr("platform"); RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); if (re->size()==1) { /* create object group if the object in the RE is AddressRange * because IOS normally does not support ranges in ACLs, but * supports them in groups */ FWObject *re_obj = FWReference::getObject(re->front()); if ( ! AddressRange::isA(re_obj)) { tmp_queue.push_back(rule); return true; } } BaseObjectGroup *obj_group = findObjectGroup(re); if (obj_group==NULL) { obj_group = named_objects_manager->createObjectGroup(); named_objects_manager->getObjectGroupsGroup()->add(obj_group); packObjects(re, obj_group); obj_group->setObjectGroupTypeFromMembers(named_objects_manager); QStringList group_name_prefix; group_name_prefix.push_back(rule->getUniqueId().c_str()); group_name_prefix.push_back(name_suffix.c_str()); QString reg_name = BaseObjectGroup::registerGroupName( group_name_prefix.join("."), obj_group->getObjectGroupType()); obj_group->setName(reg_name.toUtf8().constData()); } else { re->clearChildren(false); //do not want to destroy children objects re->addRef(obj_group); } tmp_queue.push_back(rule); return true; }
void PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::action( PolicyRule* policy_rule, NATRule* nat_rule, Address*, Address *dst, Service*) { // FWObject *rule_iface = compiler->dbcopy->findInIndex( // policy_rule->getInterfaceId()); RuleElementItf *intf_re = policy_rule->getItf(); FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); string version = compiler->fw->getStr("version"); RuleElement *re; FWObject *o; re = nat_rule->getODst(); o = FWReference::getObject(re->front()); Address *odst = Address::cast(o); assert(odst); FWObject *p = odst->getParent(); if (odst->getId() == rule_iface->getId() || p->getId() == rule_iface->getId()) { QString err("Object %1 that represents translated address in a NAT rule %2 " "is used in a policy rule of ASA v%3 firewall. " "Starting with v8.3, ASA requires using real IP addresses " "in the firewall policy rules. "); compiler->warning( policy_rule, err.arg(QString::fromUtf8(dst->getName().c_str())) .arg(nat_rule->getLabel().c_str()) .arg(version.c_str()).toStdString()); } }
bool SpecialServices::processNext() { PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler); Rule *rule = prev_processor->getNextRule(); if (rule==nullptr) return false; RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); if (re->size() == 0) { cerr << "Rule " << rule->getLabel() << "rule element " << re_type << " is empty" << endl; assert(re->size() != 0); } FWObject *obj = FWReference::getObject(re->front()); Service *s = Service::cast(obj); string version = compiler->fw->getStr("version"); if (IPService::cast(s)!=nullptr) { if (s->getBool("short_fragm") || s->getBool("fragm") ) { if (pix_comp) pix_comp->fragguard = true; return true; // do not copy the rule } if (s->getBool("rr") || s->getBool("ssrr") || s->getBool("ts") ) { compiler->abort( rule, "PIX does not support checking for IP options in ACLs."); return true; } } if (TCPService::cast(s)!=nullptr) { if (s->getBool("ack_flag") || s->getBool("fin_flag") || s->getBool("rst_flag") || s->getBool("syn_flag") ) { compiler->abort( rule, "PIX does not support checking for TCP options in ACLs."); return true; } } if (CustomService::cast(s)!=nullptr && pix_comp==nullptr) { compiler->abort( rule, "CustomService objects are not supported in NAT rules"); return true; } tmp_queue.push_back(rule); return true; }
void PolicyCompiler_pix::replaceTranslatedAddresses::action( PolicyRule* policy_rule, NATRule* nat_rule, Address *src, Address*, Service *srv) { // FWObject *rule_iface = compiler->dbcopy->findInIndex( // policy_rule->getInterfaceId()); RuleElementItf *intf_re = policy_rule->getItf(); FWObject *rule_iface = FWObjectReference::getObject(intf_re->front()); RuleElement *re = nat_rule->getOSrc(); FWObject *o = FWReference::getObject(re->front()); #ifndef NDEBUG Address *osrc = Address::cast(o); assert(osrc); #endif re = nat_rule->getODst(); o = FWReference::getObject(re->front()); Address *odst = Address::cast(o); assert(odst); re = nat_rule->getOSrv(); o = FWReference::getObject(re->front()); Service *osrv = Service::cast(o); assert(osrv); #ifndef NDEBUG re = nat_rule->getTSrc(); o = FWReference::getObject(re->front()); Address *tsrc = Address::cast(o); assert(tsrc); re = nat_rule->getTDst(); o = FWReference::getObject(re->front()); Address *tdst = Address::cast(o); assert(tdst); re = nat_rule->getTSrv(); o = FWReference::getObject(re->front()); Service *tsrv = Service::cast(o); assert(tsrv); #endif FWObject *p = odst->getParent(); if (odst->getId() == rule_iface->getId() || p->getId() == rule_iface->getId()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(policy_rule); RuleElementSrc *nsrc = r->getSrc(); nsrc->clearChildren(); nsrc->addRef( src ); RuleElementDst *ndst = r->getDst(); ndst->clearChildren(); ndst->addRef( odst ); RuleElementSrv *nsrv = r->getSrv(); nsrv->clearChildren(); if (osrv->isAny()) nsrv->addRef( srv ); else nsrv->addRef( osrv ); transformed_rules.push_back(r); } }