bool CreateObjectGroups::processNext()
{
Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false;
string version = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size()==1)
{
/* create object group if the object in the RE is AddressRange
* because IOS normally does not support ranges in ACLs, but
* supports them in groups
*/
FWObject *re_obj = FWReference::getObject(re->front());
if ( ! AddressRange::isA(re_obj))
{
tmp_queue.push_back(rule);
return true;
}
}
BaseObjectGroup *obj_group = findObjectGroup(re);
if (obj_group==NULL)
{
obj_group = named_objects_manager->createObjectGroup();
named_objects_manager->getObjectGroupsGroup()->add(obj_group);
packObjects(re, obj_group);
obj_group->setObjectGroupTypeFromMembers(named_objects_manager);
QStringList group_name_prefix;
group_name_prefix.push_back(rule->getUniqueId().c_str());
group_name_prefix.push_back(name_suffix.c_str());
QString reg_name = BaseObjectGroup::registerGroupName(
group_name_prefix.join("."),
obj_group->getObjectGroupType());
obj_group->setName(reg_name.toUtf8().constData());
} else
{
re->clearChildren(false); //do not want to destroy children objects
re->addRef(obj_group);
}
tmp_queue.push_back(rule);
return true;
}
void PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::action(
PolicyRule* policy_rule,
NATRule* nat_rule, Address*, Address *dst, Service*)
{
// FWObject *rule_iface = compiler->dbcopy->findInIndex(
// policy_rule->getInterfaceId());
RuleElementItf *intf_re = policy_rule->getItf();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
string version = compiler->fw->getStr("version");
RuleElement *re;
FWObject *o;
re = nat_rule->getODst();
o = FWReference::getObject(re->front());
Address *odst = Address::cast(o); assert(odst);
FWObject *p = odst->getParent();
if (odst->getId() == rule_iface->getId() ||
p->getId() == rule_iface->getId())
{
QString err("Object %1 that represents translated address in a NAT rule %2 "
"is used in a policy rule of ASA v%3 firewall. "
"Starting with v8.3, ASA requires using real IP addresses "
"in the firewall policy rules. ");
compiler->warning(
policy_rule,
err.arg(QString::fromUtf8(dst->getName().c_str()))
.arg(nat_rule->getLabel().c_str())
.arg(version.c_str()).toStdString());
}
}
bool SpecialServices::processNext()
{
PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler);
Rule *rule = prev_processor->getNextRule(); if (rule==nullptr) return false;
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size() == 0)
{
cerr << "Rule " << rule->getLabel()
<< "rule element " << re_type << " is empty" << endl;
assert(re->size() != 0);
}
FWObject *obj = FWReference::getObject(re->front());
Service *s = Service::cast(obj);
string version = compiler->fw->getStr("version");
if (IPService::cast(s)!=nullptr)
{
if (s->getBool("short_fragm") ||
s->getBool("fragm") )
{
if (pix_comp) pix_comp->fragguard = true;
return true; // do not copy the rule
}
if (s->getBool("rr") ||
s->getBool("ssrr") ||
s->getBool("ts") )
{
compiler->abort(
rule,
"PIX does not support checking for IP options in ACLs.");
return true;
}
}
if (TCPService::cast(s)!=nullptr)
{
if (s->getBool("ack_flag") ||
s->getBool("fin_flag") ||
s->getBool("rst_flag") ||
s->getBool("syn_flag") )
{
compiler->abort(
rule,
"PIX does not support checking for TCP options in ACLs.");
return true;
}
}
if (CustomService::cast(s)!=nullptr && pix_comp==nullptr)
{
compiler->abort(
rule,
"CustomService objects are not supported in NAT rules");
return true;
}
tmp_queue.push_back(rule);
return true;
}
void PolicyCompiler_pix::replaceTranslatedAddresses::action(
PolicyRule* policy_rule,
NATRule* nat_rule, Address *src, Address*, Service *srv)
{
// FWObject *rule_iface = compiler->dbcopy->findInIndex(
// policy_rule->getInterfaceId());
RuleElementItf *intf_re = policy_rule->getItf();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
RuleElement *re = nat_rule->getOSrc();
FWObject *o = FWReference::getObject(re->front());
#ifndef NDEBUG
Address *osrc = Address::cast(o); assert(osrc);
#endif
re = nat_rule->getODst();
o = FWReference::getObject(re->front());
Address *odst = Address::cast(o); assert(odst);
re = nat_rule->getOSrv();
o = FWReference::getObject(re->front());
Service *osrv = Service::cast(o); assert(osrv);
#ifndef NDEBUG
re = nat_rule->getTSrc();
o = FWReference::getObject(re->front());
Address *tsrc = Address::cast(o); assert(tsrc);
re = nat_rule->getTDst();
o = FWReference::getObject(re->front());
Address *tdst = Address::cast(o); assert(tdst);
re = nat_rule->getTSrv();
o = FWReference::getObject(re->front());
Service *tsrv = Service::cast(o); assert(tsrv);
#endif
FWObject *p = odst->getParent();
if (odst->getId() == rule_iface->getId() ||
p->getId() == rule_iface->getId())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(policy_rule);
RuleElementSrc *nsrc = r->getSrc();
nsrc->clearChildren();
nsrc->addRef( src );
RuleElementDst *ndst = r->getDst();
ndst->clearChildren();
ndst->addRef( odst );
RuleElementSrv *nsrv = r->getSrv();
nsrv->clearChildren();
if (osrv->isAny())
nsrv->addRef( srv );
else
nsrv->addRef( osrv );
transformed_rules.push_back(r);
}
}