bool PolicyCompiler_junosacl::checkIPv4FragmentService::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv = rule->getSrv(); if (srv->size() > 1) { CustomService *fragment_srv = NULL; for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Service *s=Service::cast(obj); assert(s!=NULL); CustomService *custom_srv = CustomService::cast(s); if (custom_srv && (!custom_srv->getCodeForPlatform(compiler->myPlatformName()).substr(0, 15).compare("fragment-offset")) ) { if (!fragment_srv) { fragment_srv = custom_srv; } else { if (fragment_srv->getId() != custom_srv->getId()) compiler->abort( rule, "You have contradicting IPv4 fragmentation services in the same rule."); } } } } tmp_queue.push_back(rule); return true; }
/* * This rule processor is used to separate TCP service objects that * match tcp flags when generated config uses object-group clause */ bool PolicyCompiler_junosacl::splitTCPServiceWithFlags::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv = rule->getSrv(); if (srv->size() > 1) { std::list<FWObject*> cl; for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1) { FWObject *o = *i1; FWObject *obj = NULL; if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); Service *s=Service::cast(obj); assert(s!=NULL); TCPService *tcp_srv = TCPService::cast(s); if (tcp_srv && (tcp_srv->inspectFlags() || tcp_srv->getEstablished())) cl.push_back(s); } while (!cl.empty()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv = r->getSrv(); nsrv->clearChildren(); nsrv->addRef( cl.front() ); tmp_queue.push_back(r); srv->removeRef( cl.front() ); cl.pop_front(); } if (srv->size()>0) tmp_queue.push_back(rule); } else tmp_queue.push_back(rule); return true; }