/*
* store all data in the object
*/
void pixosIfaceOptsDialog::accept()
{
// validate user input before saving
if (!validate()) return;
ProjectPanel *project = mw->activeProject();
std::unique_ptr<FWCmdChange> cmd( new FWCmdChange(project, obj));
// new_state is a copy of the interface object
FWObject* new_state = cmd->getNewState();
FWOptions* ifopt = Interface::cast(new_state)->getOptionsObject();
assert(ifopt!=NULL);
if (cluster_interface)
{
ifopt->setStr("type", "cluster_interface");
} else
{
QString new_type = m_dialog->iface_type->itemData(
m_dialog->iface_type->currentIndex()).toString();
ifopt->setStr("type", new_type.toStdString());
}
data.saveAll(ifopt);
if (!cmd->getOldState()->cmp(new_state, true))
project->undoStack->push(cmd.release());
QDialog::accept();
}
void AutomaticRules_nxosacl::addSshAccessRule()
{
if (ruleset == NULL) return;
FWOptions *fwopt = fw->getOptionsObject();
if (fwopt->getBool("mgmt_ssh") && ! fwopt->getStr("mgmt_addr").empty())
{
AutomaticRules_cisco::addSshAccessRule();
/*
* AutomaticRules_cisco::addDefaultPolicyRule() adds a rule to
* permit backup ssh access to the firewall. Since NXOS ACL are
* stateless, we need to add another rule to permit reply
* packets.
*/
TCPService *ssh_rev = ruleset->getRoot()->createTCPService();
ssh_rev->setSrcRangeStart(22);
ssh_rev->setSrcRangeEnd(22);
persistent_objects->add(ssh_rev, false);
Network *mgmt_workstation = ruleset->getRoot()->createNetwork();
mgmt_workstation->setAddressNetmask(fwopt->getStr("mgmt_addr"));
persistent_objects->add(mgmt_workstation, false);
addMgmtRule(
fw, mgmt_workstation, ssh_rev,
NULL, PolicyRule::Outbound, PolicyRule::Accept,
"backup ssh access rule (out)");
}
}
pixosIfaceOptsDialog::pixosIfaceOptsDialog(QWidget *parent, FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::pixosIfaceOptsDialog_q;
m_dialog->setupUi(this);
setWindowModality(Qt::WindowModal);
obj = o;
FWOptions *ifopt = (Interface::cast(obj))->getOptionsObject();
cluster_interface = (Cluster::cast(obj->getParent()) != NULL);
setInterfaceTypes(m_dialog->iface_type, Interface::cast(obj),
ifopt->getStr("type").c_str());
// Using "type" control only for subinterfaces
// and main interfaces of the firewall objects
if (cluster_interface)
{
m_dialog->iface_type->hide();
m_dialog->iface_type_label->hide();
} else
{
m_dialog->iface_type->show();
m_dialog->iface_type_label->show();
}
data.registerOption(m_dialog->vlan_id, ifopt, "vlan_id");
data.loadAll();
// special actions for different iface types
// VLAN (8021q)
typeChanged("");
}
QStringList instDialog::prepareArgForCompiler(Firewall *fw)
{
FWOptions *fwopt = fw->getOptionsObject();
QStringList args;
/*
* I should be able to specify custom compiler for firewall with
* no platform (e.g. for experiments)
*/
string compiler = fwopt->getStr("compiler");
if (compiler=="")
{
compiler=Resources::platform_res[fw->getStr("platform")]->getCompiler();
}
if (compiler=="")
{
QMessageBox::warning(
this,"Firewall Builder",
tr("Firewall platform is not specified in this object.\n\
Can't compile firewall policy."),
tr("&Continue"), QString::null,QString::null,
0, 1 );
return args; // still empty list
}
QString CompilerDriver_junosacl::assembleFwScript(Cluster *cluster,
Firewall *fw,
bool cluster_member,
OSConfigurator *oscnf)
{
Configlet script_skeleton(fw, "junos", "script_skeleton");
Configlet top_comment(fw, "junos", "top_comment");
script_skeleton.setVariable("system_configuration_script",
QString::fromUtf8(system_configuration_script.c_str()));
script_skeleton.setVariable("policy_script",
QString::fromUtf8(policy_script.c_str()));
FWOptions* options = fw->getOptionsObject();
options->setStr("prolog_script", options->getStr("junosacl_prolog_script"));
options->setStr("epilog_script", options->getStr("junosacl_epilog_script"));
// we do not offer user a choice of the place where to put prolog
// lines, therefore we can reset this attribute to make sure it
// does not interfere
options->setStr("prolog_place", "");
assembleFwScriptInternal(cluster, fw, cluster_member,
oscnf, &script_skeleton, &top_comment, "!", true);
return script_skeleton.expand();
}
void Importer::setInterfaceVlanId(const std::string &vlan_id)
{
if (current_interface!=NULL)
{
FWOptions *ifopt = (Interface::cast(current_interface))->getOptionsObject();
ifopt->setStr("type", "8021q");
ifopt->setStr("vlan_id", vlan_id);
}
}
/*
* This method builds and returns activation command
* This method is used for all firewall platforms but PIX
*/
QString FirewallInstaller::getActivationCmd()
{
if (!cnf->activationCmd.isEmpty())
{
return cnf->activationCmd;
}
FWOptions *fwopt = cnf->fwobj->getOptionsObject();
QString configlet_name = "installer_commands_";
if (cnf->user=="root") configlet_name += "root";
else configlet_name += "reg_user";
string host_os = cnf->fwobj->getStr("host_OS");
string os_family = Resources::os_res[host_os]->
getResourceStr("/FWBuilderResources/Target/family");
// installer configlets should be different for each OS, but if
// some OS can use the same script, it will be placed in the file
// under os_family name. For example:
// for linksys/sveasoft configlet is in src/res/configlets/sveasoft
// but since linux24 and openwrt can use the same script, it is
// located in src/res/configlets/linux24 (openwrt.xml file defines
// family as "linux24")
Configlet configlet(host_os, os_family, configlet_name);
configlet.removeComments();
configlet.collapseEmptyStrings(true);
// test run and rollback were deprecated in 4.2.0. On Linux, BSD
// and PIX rollback was implemented by rebooting firewall which is
// too heavy-handed and it did not work on BSD at all.
configlet.setVariable("test", false);
configlet.setVariable("run", true);
configlet.setVariable("with_rollback", false);
configlet.setVariable("no_rollback", true);
configlet.setVariable("firewall_name",
QString::fromUtf8(cnf->fwobj->getName().c_str()));
configlet.setVariable("with_compression", cnf->compressScript);
configlet.setVariable("no_compression", ! cnf->compressScript);
// On FreeBSD where we can generate either shell script or rc.conf
// file, installation commands differ.
//
// TODO: find more generic way to do this so that GUI installer does not
// have to be aware of the differences in generated file format.
configlet.setVariable("rc_conf_format",
fwopt->getBool("generate_rc_conf_file"));
configlet.setVariable("shell_script_format",
! fwopt->getBool("generate_rc_conf_file"));
replaceMacrosInCommand(&configlet);
return configlet.expand().trimmed();
}
/*
* Generate calls to the shell function update_addresses_of_interface
* to add or remove ip addresses of interfaces. The following cases
* are supported, depending on the value of
* @add_virtual_addresses_for_nat and @configure_interfaces
*
* configure_interfaces == false && add_virtual_addresses_for_nat == false:
* do not generate any commands
*
* configure_interfaces == false && add_virtual_addresses_for_nat == true:
* use only virtual_addresses_for_nat, add normal addresses of the interface
* to the list of addresses we should ignore
*
* configure_interfaces == true && add_virtual_addresses_for_nat == false:
* ignore virtual_addresses_for_nat
*
* configure_interfaces == true && add_virtual_addresses_for_nat == true:
* use virtual_addresses_for_nat
*
*
*/
string OSConfigurator_linux24::printInterfaceConfigurationCommands()
{
FWOptions* options = fw->getOptionsObject();
std::unique_ptr<interfaceProperties> int_prop(
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
fw->getStr("host_OS")));
Configlet script(fw, "linux24", "configure_interfaces");
script.removeComments();
script.collapseEmptyStrings(true);
list<FWObject*> interfaces = fw->getByTypeDeep(Interface::TYPENAME);
bool need_promote_command = false;
QStringList gencmd;
list<FWObject*>::iterator i;
for (i=interfaces.begin(); i!=interfaces.end(); ++i )
{
Interface *iface = Interface::cast(*i);
assert(iface);
string iface_name = iface->getName();
QStringList update_addresses;
QStringList ignore_addresses;
if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses))
{
if (options->getBool("manage_virtual_addr") &&
virtual_addresses_for_nat.count(iface_name) > 0)
update_addresses.push_back(
virtual_addresses_for_nat[iface_name].c_str());
// generate update_addresses calls even if interface has
// no addresses in fwbuilder. This makes sure all
// addresses it might have on the machine will be
// removed. Say, interface was regular and had an address
// and then user converted it to unnumbered. In this case
// the address should be removed.
gencmd.push_back(
printUpdateAddressCommand(iface, update_addresses, ignore_addresses));
// update_addresses list looks like this:
// ("eth0", "22.22.22.22/24", "22.22.22.23/24")
// I need to add "promote" command only when there is more than 1 address.
need_promote_command |= (update_addresses.size() > 2);
}
known_interfaces.push_back(iface_name);
}
script.setVariable("have_interfaces", interfaces.size() > 0);
script.setVariable("need_promote_command", need_promote_command);
script.setVariable("configure_interfaces_script", gencmd.join("\n"));
return script.expand().toStdString() + "\n";
}
string PolicyCompiler_iosacl::PrintRule::_printLog(PolicyRule *rule)
{
if (rule->getLogging())
{
FWOptions *ruleopt =rule->getOptionsObject();
if (ruleopt->getBool("iosacl_log_input")) return "log-input ";
return "log ";
}
return "";
}
void NATCompiler_pf::PrintRule::_printNATRuleOptions(Rule *rule)
{
FWOptions *ruleopt =rule->getOptionsObject();
if (ruleopt->getBool("pf_bitmask")) compiler->output << "bitmask ";
if (ruleopt->getBool("pf_random")) compiler->output << "random ";
if (ruleopt->getBool("pf_source_hash")) compiler->output << "source-hash ";
if (ruleopt->getBool("pf_round_robin")) compiler->output << "round-robin ";
if (ruleopt->getBool("pf_static_port")) compiler->output << "static-port ";
}
QString FirewallInstaller::getGeneratedFileName(Firewall *fw)
{
FWOptions *fwopt = fw->getOptionsObject();
QString generated_file;
QString ofname = QString::fromUtf8(fwopt->getStr("output_file").c_str()).trimmed();
if (!ofname.isEmpty())
{
generated_file = ofname;
} else
generated_file = QString::fromUtf8(fw->getName().c_str()) + ".fw";
return generated_file;
}
OSConfigurator_linux24::OSConfigurator_linux24(FWObjectDatabase *_db,
Firewall *fw,
bool ipv6_policy) :
OSConfigurator(_db, fw, ipv6_policy) , os_data(fw->getStr("host_OS"))
{
command_wrappers = new Configlet(fw, "linux24", "run_time_wrappers");
FWOptions* fwopt = fw->getOptionsObject();
string version = fw->getStr("version");
using_ipset = (XMLTools::version_compare(version, "1.4.1.1") >= 0 &&
fwopt->getBool("use_m_set"));
}
bool PolicyCompiler_pf::ProcessScrubOption::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
FWOptions *ruleopt =rule->getOptionsObject();
if ( ruleopt->getBool("scrub") ) {
if (rule->getAction()!=PolicyRule::Accept) {
ruleopt->setBool("scrub",false);
tmp_queue.push_back(rule);
compiler->abort(rule,
"Rule option 'scrub' is supported only for rules "
"with action 'Accept'");
return true;
}
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setAction(PolicyRule::Scrub);
r->getOptionsObject()->setBool("scrub",false);
tmp_queue.push_back(r);
ruleopt->setBool("scrub",false);
tmp_queue.push_back(rule);
return true;
}
/* if service is ip_fragment and action is 'Deny', then add rule with scrub */
Service *srv=compiler->getFirstSrv(rule); assert(srv);
if ( (srv->getBool("short_fragm") || srv->getBool("fragm")) &&
( rule->getAction()==PolicyRule::Deny || rule->getAction()==PolicyRule::Reject) ) {
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setAction(PolicyRule::Scrub);
r->getOptionsObject()->setBool("scrub",false);
tmp_queue.push_back(r);
return true;
}
tmp_queue.push_back(rule);
return true;
}
void Importer::newPolicyRule()
{
if (fwbdebug) qDebug() << "Importer::newPolicyRule()";
FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
FWObject *nobj = dbroot->create(PolicyRule::TYPENAME);
current_rule = Rule::cast(nobj);
// check if all child objects were populated properly
FWOptions *ropt = current_rule->getOptionsObject();
assert(ropt!=NULL);
ropt->setBool("stateless", true);
}
bool PolicyCompiler_ipf::checkForKeepState::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
Service *srv=compiler->getFirstSrv(rule); assert(srv);
FWOptions *ruleopt =rule->getOptionsObject();
if (! ICMPService::isA(srv) &&
! UDPService::isA(srv) &&
! TCPService::isA(srv) ) ruleopt->setBool("stateless",true);
return true;
}
secuwallIfaceOptsDialog::secuwallIfaceOptsDialog(QWidget *parent, FWObject *o)
: QDialog(parent)
{
m_dialog = new Ui::secuwallIfaceOptsDialog_q;
m_dialog->setupUi(this);
obj = o;
FWOptions *ifopt = (Interface::cast(obj))->getOptionsObject();
cluster_interface = (Cluster::cast(obj->getParent()) != NULL);
setInterfaceTypes(m_dialog->iface_type, Interface::cast(obj),
ifopt->getStr("type").c_str());
// Using "type" control only for subinterfaces
// and main interfaces of the firewall objects
if (cluster_interface)
{
m_dialog->iface_type->hide();
m_dialog->iface_type_label->hide();
} else
{
m_dialog->iface_type->show();
m_dialog->iface_type_label->show();
}
data.registerOption(m_dialog->iface_mtu,
ifopt,
"iface_mtu");
data.registerOption(m_dialog->iface_disablearp,
ifopt,
"iface_disablearp");
data.registerOption(m_dialog->iface_disableboot,
ifopt,
"iface_disableboot");
data.registerOption(m_dialog->iface_options,
ifopt,
"iface_options");
data.registerOption(m_dialog->vlan_id,
ifopt,
"vlan_id");
data.loadAll();
// perform special actions for different iface types
typeChanged("");
}
void OSConfigurator_bsd::setKernelVariable(Firewall *fw,
const string &var_name,
Configlet *configlet)
{
FWOptions* options = fw->getOptionsObject();
string s;
s = options->getStr(var_name);
if (!s.empty())
{
configlet->setVariable(QString("have_") + var_name.c_str(), 1);
configlet->setVariable(var_name.c_str(), s=="1" || s=="on" || s=="On");
}
}
string OSConfigurator_linux24::getPathForATool(const std::string &os_variant, OSData_ipt::tools tool_name)
{
FWOptions* options = fw->getOptionsObject();
string attr = os_data.getAttributeNameForTool(tool_name);
string s = options->getStr("linux24_" + attr);
if (!s.empty()) return s;
string host_os = fw->getStr("host_OS");
string r = "/FWBuilderResources/Target/tools/" + os_variant + "/" + attr;
if (Resources::os_res[host_os]->getResourceStr(r).empty())
r = "/FWBuilderResources/Target/tools/Unknown/" + attr;
return Resources::os_res[host_os]->getResourceStr(r);
}
void Importer::pushRule()
{
assert(current_ruleset!=NULL);
assert(current_rule!=NULL);
// populate all elements of the rule
PolicyRule *rule = PolicyRule::cast(current_rule);
FWOptions *ropt = current_rule->getOptionsObject();
assert(ropt!=NULL);
if (action=="permit")
{
rule->setAction(PolicyRule::Accept);
ropt->setBool("stateless", false);
}
if (action=="deny")
{
rule->setAction(PolicyRule::Deny);
ropt->setBool("stateless", true);
}
rule->setDirection(PolicyRule::Both);
addSrc();
addDst();
addSrv();
addLogging();
// then add it to the current ruleset
current_ruleset->ruleset->add(current_rule);
if (error_tracker->hasWarnings())
{
QStringList warn = error_tracker->getWarnings();
// parser errors and warnings are added to the log by
// PFCfgParser::reportError() and PFCfgParser::reportWarning()
// so we dont need to add them again here
foreach(QString w, warn)
{
if (!w.startsWith("Parser warning:")) addMessageToLog("Warning: " + w);
}
markCurrentRuleBad();
}
bool PolicyCompiler_ipf::expandAnyService::processNext()
{
PolicyCompiler_ipf *pcomp=dynamic_cast<PolicyCompiler_ipf*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementSrv *srv=rule->getSrv();
FWOptions *ruleopt =rule->getOptionsObject();
if (srv->isAny() && ! ruleopt->getBool("stateless") && rule->getAction()==PolicyRule::Accept) {
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
RuleElementSrv *nsrv=r->getSrv();
nsrv->clearChildren();
nsrv->addRef(pcomp->anyicmp); //compiler->dbcopy->findInIndex(ANY_ICMP_OBJ_ID));
tmp_queue.push_back(r);
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
nsrv=r->getSrv();
nsrv->clearChildren();
nsrv->addRef(pcomp->anytcp); //compiler->dbcopy->findInIndex(ANY_TCP_OBJ_ID));
tmp_queue.push_back(r);
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
nsrv=r->getSrv();
nsrv->clearChildren();
nsrv->addRef(pcomp->anyudp); //compiler->dbcopy->findInIndex(ANY_UDP_OBJ_ID));
tmp_queue.push_back(r);
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
FWOptions *ruleopt =r->getOptionsObject();
ruleopt->setBool("stateless",true);
tmp_queue.push_back(r);
} else
tmp_queue.push_back(rule);
return true;
}
string PolicyCompiler_junosacl::PrintRule::_printAction(PolicyRule *rule)
{
ostringstream str;
switch (rule->getAction()) {
case PolicyRule::Accept: str << "accept"; break;
case PolicyRule::Deny: str << "discard"; break;
case PolicyRule::Reject: str << "reject";
{
FWOptions *ruleopt =rule->getOptionsObject();
string reason = ruleopt->getStr("action_on_reject");
if (!reason.empty())
str << " " << reject_icmp_reason.at(reason);
}
break;
default: str << rule->getActionAsString() << "";
}
return str.str();
}
string OSConfigurator_linux24::printIPForwardingCommands()
{
/* Turn on packet forwarding if we have to */
// string os_family = Resources::os_res[fw->getStr("host_OS")]->
// getResourceStr("/FWBuilderResources/Target/family");
FWOptions* options = fw->getOptionsObject();
Configlet ip_forwarding(fw, "linux24", "ip_forwarding");
ip_forwarding.removeComments();
ip_forwarding.collapseEmptyStrings(true);
string s = options->getStr("linux24_ip_forward");
ip_forwarding.setVariable("ipv4", !s.empty());
ip_forwarding.setVariable("ipv4_forw", (s=="1" || s=="On" || s=="on")?1:0);
s = options->getStr("linux24_ipv6_forward");
ip_forwarding.setVariable("ipv6", !s.empty());
ip_forwarding.setVariable("ipv6_forw", (s=="1" || s=="On" || s=="on")?1:0);
return ip_forwarding.expand().toStdString();
}
string OSConfigurator_linux24::generateCodeForProtocolHandlers()
{
FWOptions* options = fw->getOptionsObject();
bool nomod = Resources::os_res[fw->getStr("host_OS")]->
Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_modules");
// string host_os = fw->getStr("host_OS");
// string os_family = Resources::os_res[host_os]->
// getResourceStr("/FWBuilderResources/Target/family");
Configlet load_modules(fw, "linux24", "load_modules");
load_modules.removeComments();
// See ticket #2
string modules_dir = Resources::os_res[fw->getStr("host_OS")]->
Resources::getResourceStr("/FWBuilderResources/Target/options/default/modules_dir");
/* there is no need to load modules on some platforms */
load_modules.setVariable("load_modules", options->getBool("load_modules") && !nomod);
load_modules.setVariable("modules_dir", modules_dir.c_str());
return load_modules.expand().toStdString();
}
bool PolicyCompiler_ipf::doDstNegation::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementDst *dst=rule->getDst();
if (dst->getNeg()) {
RuleElementDst *ndst;
PolicyRule *r;
FWOptions *ruleopt;
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setAction(PolicyRule::Continue);
r->setLogging(false);
ndst=r->getDst();
ndst->setNeg(false);
r->setBool("quick",false);
r->setBool("skip_check_for_duplicates",true);
ruleopt = r->getOptionsObject();
ruleopt->setBool("stateless", true);
tmp_queue.push_back(r);
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
ndst=r->getDst();
ndst->setNeg(false);
ndst->clearChildren();
ndst->setAnyElement();
r->setBool("quick",true);
r->setBool("skip_check_for_duplicates",true);
tmp_queue.push_back(r);
return true;
}
tmp_queue.push_back(rule);
return true;
}
bool MangleTableCompiler_ipt::keepMangleTableRules::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
FWOptions *ruleopt = rule->getOptionsObject();
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
string ruleset_name = compiler->getRuleSetName();
FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject();
if (rulesetopts->getBool("mangle_only_rule_set"))
tmp_queue.push_back(rule);
else
{
if (rule->getAction() == PolicyRule::Branch &&
ruleopt->getBool("ipt_branch_in_mangle"))
{
PolicyRule* r;
// this is a branching rule for mangle table. Need to put it
// into PREROUTING and POSTROUTING chains as well because some
// targets that work with mangle table can only go into these
// chains, yet we do not know what kind of rules will user
// place in the branch
if (rule->getDirection()==PolicyRule::Undefined ||
rule->getDirection()==PolicyRule::Both ||
rule->getDirection()==PolicyRule::Inbound)
{
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_chain","PREROUTING");
tmp_queue.push_back(r);
}
if (rule->getDirection()==PolicyRule::Undefined ||
rule->getDirection()==PolicyRule::Both ||
rule->getDirection()==PolicyRule::Outbound)
{
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_chain","POSTROUTING");
tmp_queue.push_back(r);
}
// ticket #1415 User reports that only packets that went
// through the FORWARD chain can match inbound "-i" and
// outbound "-o" interface at the same time. Since we do
// not allow both in and out interface matches in one rule
// and have to use branch to do this, need to branch in
// FORWARD chain as well so that inbound interface can be
// matched in the branching rule and outbound interface
// can be matched in a rule in the branch
//
// This is ugly, this means the branch will inspect the
// packet at least twice - in PREROUTING and FORWARD, or
// FORWARD and POSTROUTING chains.
//
// I mention above that some targets can only be used in
// PREROUTING or POSTROUTING chains. It would help if
// these tagrets worked in FORWARD chain, in that case we
// could just branch in FORWARD instead of all thress chains.
//
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_chain","FORWARD");
tmp_queue.push_back(r);
// tmp_queue.push_back(rule);
return true;
}
if (rule->getTagging() ||
rule->getRouting() ||
rule->getClassification() ||
ruleopt->getBool("put_in_mangle_table")) tmp_queue.push_back(rule);
}
return true;
}
string OSConfigurator_pix_os::_printMPFPolicyMap()
{
ostringstream res;
string platform = fw->getStr("platform");
string version = fw->getStr("version");
string vers = "version_" + version;
FWOptions *options = fw->getOptionsObject();
assert(options!=NULL);
std::list<InspectionClassMap> defaultClassMaps;
std::list<InspectionClassMap> customClassMaps;
std::map<std::string,int> DefaultInspectionInspectStatements;
std::map<std::string,int> CustomInspectionInspectStatements;
QStringList allowed_fixups =
QString(Resources::platform_res[platform]->getResourceStr(
"/FWBuilderResources/Target/options/" + vers +
"/fixups/list").c_str()).split(",");
defaultClassMaps.clear();
customClassMaps.clear();
DefaultInspectionInspectStatements.clear();
CustomInspectionInspectStatements.clear();
foreach (QString fixup_xml_element, allowed_fixups)
{
string f = options->getStr(fixup_xml_element.toAscii().constData());
if (!f.empty())
{
QString fixup_name = fixup_xml_element.replace("_fixup", "");
int status;
int p1,p2;
string an;
int av;
istringstream str(f);
str >> status >> p1 >> p2 >> an >> av;
/* We should really fix this in the GUI and pass max length parameter
* as an/av rather than as port p1
*/
if (fixup_name == "dns" && p1 != 0)
{
an = "maximum-length";
av = p1;
p1 = 53;
}
if (fixup_name.startsWith("ip_options"))
{
continue;
}
InspectionClassMap cm(fixup_name.toAscii().constData(),
status, p1, p2, an, av);
if (cm.isDefault()) defaultClassMaps.push_back(cm);
else customClassMaps.push_back(cm);
}
QString CompilerDriver_pix::assembleFwScript(Cluster *cluster,
Firewall* fw,
bool cluster_member,
OSConfigurator *oscnf)
{
Configlet script_skeleton(fw, "pix_os", "script_skeleton");
Configlet top_comment(fw, "pix_os", "top_comment");
FWOptions* options = fw->getOptionsObject();
options->setStr("prolog_script", options->getStr("pix_prolog_script"));
options->setStr("epilog_script", options->getStr("pix_epilog_script"));
options->setStr("prolog_place", "");
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
bool outbound_acl_supported =
Resources::platform_res[platform]->getResourceBool(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+
"/pix_outbound_acl_supported");
bool afpa = options->getBool("pix_assume_fw_part_of_any");
bool emulate_outb_acls = options->getBool("pix_emulate_out_acl");
bool generate_outb_acls = options->getBool("pix_generate_out_acl");
top_comment.setVariable(
"outbound_acl_supported",
QString((outbound_acl_supported) ? "supported" : "not supported"));
top_comment.setVariable("emulate_outb_acls",
QString((emulate_outb_acls)?"yes":"no"));
top_comment.setVariable("generate_outb_acls",
QString((generate_outb_acls)?"yes":"no"));
top_comment.setVariable("afpa", QString((afpa)?"yes":"no"));
script_skeleton.setVariable("short_script", options->getBool("short_script"));
script_skeleton.setVariable("not_short_script",
! options->getBool("short_script"));
script_skeleton.setVariable("preamble_commands",
QString::fromUtf8(
preamble_commands.c_str()));
script_skeleton.setVariable("clear_commands",
QString::fromUtf8(
clear_commands.c_str()));
script_skeleton.setVariable("system_configuration_script",
QString::fromUtf8(
system_configuration_script.c_str()));
script_skeleton.setVariable("named_objects_and_object_groups",
QString::fromUtf8(
named_objects_and_groups.c_str()));
script_skeleton.setVariable("policy_script",
QString::fromUtf8(policy_script.c_str()));
script_skeleton.setVariable("nat_script",
QString::fromUtf8(nat_script.c_str()));
script_skeleton.setVariable("routing_script",
QString::fromUtf8(routing_script.c_str()));
assembleFwScriptInternal(cluster, fw, cluster_member, oscnf,
&script_skeleton, &top_comment, "!", true);
return script_skeleton.expand();
}
QString CompilerDriver_pix::run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
Firewall *fw = NULL;
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
// Copy rules from the cluster object
populateClusterElements(cluster, fw);
if (cluster)
{
// PIX failover is dfferent from VRRP and other failover protocols
// in that it does not create new virtual address. Instead, each
// unit is configured with two ip addresses, one for the active
// unit and another for standby one. When active unit fails, the
// other one assumes its address.
//
// This matters because when we use cluster object or one of its
// interfaces in rules, compiler should expand it to the set of
// addresses that includes addresses of the corresponding
// interface of both member firewalls. Method
// CompilerDriver::copyFailoverInterface adds a copy of firewall
// interface to the cluster object. This works for all firewalls,
// but for PIX we need to add copies of interfaces from both
// members.
//
FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME);
for (; cl_iface != cl_iface.end(); ++cl_iface)
{
FailoverClusterGroup *failover_group =
FailoverClusterGroup::cast(
(*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME));
if (failover_group)
{
//FWObject *this_member_interface = NULL; //UNUSED
list<FWObject*> other_member_interfaces;
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
FWObject *intf = FWObjectReference::getObject(*it);
assert(intf);
//if (intf->isChildOf(fw)) this_member_interface = intf; //UNUSED
//else other_member_interfaces.push_back(intf);
if (!intf->isChildOf(fw)) other_member_interfaces.push_back(intf);
}
if (!other_member_interfaces.empty())
{
for (list<FWObject*>::iterator it=other_member_interfaces.begin();
it!=other_member_interfaces.end(); ++it)
{
cluster->addCopyOf(*it, true);
}
}
}
}
}
#if 0
FWObjectTypedChildIterator iface = fw->findByType(Interface::TYPENAME);
for (; iface != iface.end(); ++iface)
{
(*iface)->dump(true, true);
}
#endif
determineOutputFileNames(cluster, fw, !cluster_id.empty(),
QStringList(""), QStringList("fw"),
QStringList(""));
FWOptions* options = fw->getOptionsObject();
QString script_buffer;
std::auto_ptr<NATCompiler_pix> n;
std::auto_ptr<PolicyCompiler_pix> c;
std::auto_ptr<RoutingCompiler_pix> r;
try
{
clearReadOnly(fw);
commonChecks2(cluster, fw);
pixClusterConfigurationChecks(cluster, fw);
// Note that fwobjectname may be different from the name of the
// firewall fw This happens when we compile a member of a cluster
current_firewall_name = fw->getName().c_str();
bool pix_acl_basic = options->getBool("pix_acl_basic");
bool pix_acl_no_clear = options->getBool("pix_acl_no_clear");
bool pix_acl_substitution = options->getBool("pix_acl_substitution");
bool pix_add_clear_statements = options->getBool("pix_add_clear_statements");
if (!pix_acl_basic && !pix_acl_no_clear && !pix_acl_substitution)
{
if ( pix_add_clear_statements ) options->setBool("pix_acl_basic",true);
else options->setBool("pix_acl_no_clear",true);
}
list<FWObject*> all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
pixSecurityLevelChecks(fw, all_interfaces);
pixNetworkZoneChecks(fw, all_interfaces);
/* Now that all checks are done, we can drop copies of cluster
* interfaces that were added to the firewall by
* CompilerDriver::populateClusterElements()
*/
list<FWObject*> copies_of_cluster_interfaces;
for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i)
{
Interface *iface = Interface::cast(*i);
assert(iface);
if (iface->getOptionsObject()->getBool("cluster_interface"))
copies_of_cluster_interfaces.push_back(iface);
}
while (copies_of_cluster_interfaces.size())
{
fw->remove(copies_of_cluster_interfaces.front());
copies_of_cluster_interfaces.pop_front();
}
NamedObjectsManagerPIX named_objects_manager(persistent_objects, fw);
all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
for (std::list<FWObject*>::iterator i=all_interfaces.begin();
i!=all_interfaces.end(); ++i)
{
Interface *iface = Interface::cast(*i);
assert(iface);
/*
* missing labels on interfaces
*
*/
if (iface->getLabel()=="")
{
string lbl;
if (iface->isDedicatedFailover())
{
// dedicated failover interface misses label. This
// interface can be used in failover cluster group
// or state sync group. Assign label depending on
// the function.
FWObjectTypedChildIterator it =
cluster->findByType(StateSyncClusterGroup::TYPENAME);
StateSyncClusterGroup *state_sync_group =
StateSyncClusterGroup::cast(*it);
if (state_sync_group && state_sync_group->hasMember(iface))
lbl = "state";
if (!iface->getOptionsObject()->getStr("failover_group_id").empty())
lbl = "failover";
}
if (lbl.empty())
{
if (iface->getSecurityLevel()==0) lbl="outside";
else
{
if (iface->getSecurityLevel()==100) lbl="inside";
else
{
QString l("dmz%1");
lbl = l.arg(iface->getSecurityLevel()).toStdString();
}
}
}
iface->setLabel(lbl);
}
}
/*
* now sort interfaces by their network zone "width" (that
* is, more narrow network zone should go first, interface
* with network zone "any" should be the last)
*
std::sort(fw->begin(), fw->end(), sort_by_net_zone() );
*/
try
{
AutomaticRules_cisco auto_rules(fw, persistent_objects);
auto_rules.addSshAccessRule();
} catch (FWException &ex)
{
abort(ex.toString());
}
std::auto_ptr<Preprocessor> prep(
new Preprocessor(objdb , fw, false));
if (inTestMode()) prep->setTestMode();
if (inEmbeddedMode()) prep->setEmbeddedMode();
prep->compile();
std::auto_ptr<OSConfigurator> oscnf(
new OSConfigurator_pix_os(objdb , fw, false));
if (inTestMode()) oscnf->setTestMode();
if (inEmbeddedMode()) oscnf->setEmbeddedMode();
oscnf->prolog();
oscnf->processFirewallOptions();
bool have_named_objects = false;
bool have_object_groups = false;
/* create compilers and run the whole thing */
string version = fw->getStr("version");
if (XMLTools::version_compare(version, "8.3")>=0)
n = std::auto_ptr<NATCompiler_pix>(
new NATCompiler_asa8(objdb, fw, false, oscnf.get()));
else
n = std::auto_ptr<NATCompiler_pix>(
new NATCompiler_pix(objdb, fw, false, oscnf.get()));
RuleSet *nat = RuleSet::cast(fw->getFirstByType(NAT::TYPENAME));
if (nat)
{
nat->assignUniqueRuleIds();
n->setNamedObjectsManager(&named_objects_manager);
n->setSourceRuleSet(nat);
n->setRuleSetName(nat->getName());
n->setPersistentObjects(persistent_objects);
if (inTestMode()) n->setTestMode();
if (inEmbeddedMode()) n->setEmbeddedMode();
n->setSingleRuleCompileMode(single_rule_id);
n->setDebugLevel( dl );
if (rule_debug_on) n->setDebugRule( drn );
n->setVerbose( verbose );
if ( n->prolog() > 0 )
{
n->compile();
n->epilog();
preamble_commands += n->printPreambleCommands();
clear_commands += n->printClearCommands();
have_named_objects = (have_named_objects ||
named_objects_manager.haveNamedObjects());
have_object_groups = (have_object_groups ||
named_objects_manager.haveObjectGroups());
//named_objects_manager.saveObjectGroups();
} else
info(" Nothing to compile in NAT");
}
c = std::auto_ptr<PolicyCompiler_pix>(
new PolicyCompiler_pix(objdb, fw, false, oscnf.get() , n.get()));
RuleSet *policy = RuleSet::cast(fw->getFirstByType(Policy::TYPENAME));
if (policy)
{
policy->assignUniqueRuleIds();
c->setNamedObjectsManager(&named_objects_manager);
c->setSourceRuleSet(policy);
c->setRuleSetName(policy->getName());
c->setPersistentObjects(persistent_objects);
if (inTestMode()) c->setTestMode();
if (inEmbeddedMode()) c->setEmbeddedMode();
c->setSingleRuleCompileMode(single_rule_id);
c->setDebugLevel( dl );
if (rule_debug_on) c->setDebugRule( drp );
c->setVerbose( verbose );
if ( c->prolog() > 0 )
{
c->compile();
c->epilog();
preamble_commands += c->printPreambleCommands();
clear_commands += c->printClearCommands();
have_named_objects = (have_named_objects ||
named_objects_manager.haveNamedObjects());
have_object_groups = (have_object_groups ||
named_objects_manager.haveObjectGroups());
//named_objects_manager.saveObjectGroups();
} else
info(" Nothing to compile in Policy");
}
r = std::auto_ptr<RoutingCompiler_pix>(
new RoutingCompiler_pix(objdb, fw, false, oscnf.get()));
RuleSet *routing = RuleSet::cast(fw->getFirstByType(Routing::TYPENAME));
if (routing)
{
routing->assignUniqueRuleIds();
r->setNamedObjectsManager(&named_objects_manager);
r->setSourceRuleSet(routing);
r->setRuleSetName(routing->getName());
r->setPersistentObjects(persistent_objects);
if (inTestMode()) r->setTestMode();
if (inEmbeddedMode()) r->setEmbeddedMode();
r->setSingleRuleCompileMode(single_rule_id);
r->setDebugLevel( dl );
if (rule_debug_on) r->setDebugRule( drp );
r->setVerbose( verbose );
if ( r->prolog() > 0 )
{
r->compile();
r->epilog();
} else
info(" Nothing to compile in Routing");
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());
}
policy_script = c->getCompiledScript();
nat_script = n->getCompiledScript();
routing_script = r->getCompiledScript();
named_objects_and_groups = named_objects_manager.getNamedObjectsDefinitions();
if (c->haveErrorsAndWarnings())
all_errors.push_back(c->getErrors("C ").c_str());
if (n->haveErrorsAndWarnings())
all_errors.push_back(n->getErrors("N ").c_str());
if (r->haveErrorsAndWarnings())
all_errors.push_back(r->getErrors("R ").c_str());
if (single_rule_compile_on)
{
return formSingleRuleCompileOutput(
QString::fromUtf8(
(named_objects_and_groups +
policy_script + nat_script + routing_script).c_str()));
}
system_configuration_script = oscnf->getCompiledScript();
system_configuration_script += "\n";
clear_commands += named_objects_manager.getClearCommands() + "\n";
// system_configuration_script += preamble_commands;
// system_configuration_script += clear_commands;
script_buffer = assembleFwScript(
cluster, fw, !cluster_id.empty(), oscnf.get());
QString ofname = getAbsOutputFileName(file_names[FW_FILE]);
info("Output file name: " + ofname.toStdString());
QFile fw_file(ofname);
if (fw_file.open(QIODevice::WriteOnly))
{
QTextStream fw_str(&fw_file);
fw_str << script_buffer;
fw_file.close();
fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner |
QFile::ReadGroup | QFile::ReadOther |
QFile::ExeOwner |
QFile::ExeGroup |
QFile::ExeOther );
info(" Compiled successfully");
} else
{
QString err(" Failed to open file %1 for writing: %2; Current dir: %3");
abort(err.arg(fw_file.fileName())
.arg(fw_file.error()).arg(QDir::current().path()).toStdString());
}
if (!all_errors.isEmpty())
status = BaseCompiler::FWCOMPILER_WARNING;
}
catch (FWException &ex)
{
status = BaseCompiler::FWCOMPILER_ERROR;
return QString::fromUtf8(ex.toString().c_str());
}
return "";
}
string OSConfigurator_bsd::printFunctions()
{
ostringstream ostr;
FWOptions* options = fw->getOptionsObject();
string host_os = fw->getStr("host_OS");
string version = fw->getStr("version");
Configlet functions(fw, "bsd", "shell_functions");
functions.removeComments();
functions.setVariable("dyn_addr", options->getBool("dynAddr"));
if (options->getBool("dynAddr"))
{
/*
* get addresses of dynamic interfaces
*/
QString script_buffer;
QTextStream ostr(&script_buffer, QIODevice::WriteOnly);
FWObjectTypedChildIterator j=fw->findByType(Interface::TYPENAME);
for ( ; j!=j.end(); ++j )
{
Interface *iface=Interface::cast(*j);
if ( iface->isDyn() )
{
/* if interface name ends with '*', this is a wildcard interface. Do
* not get its address at this time.
*
* Do we support wildcard interfaces on *BSD at all ?
*/
if (iface->getName().find("*")==string::npos)
ostr << "getaddr "
<< iface->getName().c_str()
<< " "
<< getInterfaceVarName(iface).c_str()
<< "\n";
}
}
functions.setVariable("get_dyn_addr_commands", script_buffer);
} else
functions.setVariable("get_dyn_addr_commands", "");
ostr << functions.expand().toStdString();
if ( options->getBool("configure_interfaces") )
{
Configlet update_addresses(fw, "bsd", "update_addresses");
update_addresses.removeComments();
update_addresses.setVariable("freebsd", host_os == "freebsd");
update_addresses.setVariable("openbsd", host_os == "openbsd");
ostr << update_addresses.expand().toStdString();
}
if ( options->getBool("configure_vlan_interfaces") )
{
Configlet update_vlans(fw, "bsd", "update_vlans");
update_vlans.removeComments();
update_vlans.setVariable("freebsd", host_os == "freebsd");
update_vlans.setVariable("openbsd", host_os == "openbsd");
ostr << update_vlans.expand().toStdString();
}
if (options->getBool("configure_bridge_interfaces"))
{
Configlet update_bridge(fw, "bsd", "update_bridge");
update_bridge.removeComments();
update_bridge.setVariable("freebsd", host_os == "freebsd");
if (host_os == "openbsd")
{
update_bridge.setVariable("openbsd", true);
update_bridge.setVariable("openbsd_lt_47",
XMLTools::version_compare(version, "4.7")<0);
update_bridge.setVariable("openbsd_ge_47",
XMLTools::version_compare(version, "4.7")>=0);
}
ostr << update_bridge.expand().toStdString();
}
if ( options->getBool("configure_carp_interfaces") )
{
Configlet update_carp(fw, "bsd", "update_carp");
update_carp.removeComments();
update_carp.setVariable("freebsd", host_os == "freebsd");
update_carp.setVariable("openbsd", host_os == "openbsd");
ostr << update_carp.expand().toStdString();
}
if ( options->getBool("configure_pfsync_interfaces") )
{
Configlet update_pfsync(fw, "bsd", "update_pfsync");
update_pfsync.removeComments();
update_pfsync.setVariable("freebsd", host_os == "freebsd");
update_pfsync.setVariable("openbsd", host_os == "openbsd");
ostr << update_pfsync.expand().toStdString();
}
return ostr.str();
}
void PFImporter::addLogging()
{
PolicyRule *rule = PolicyRule::cast(current_rule);
FWOptions *ropt = rule->getOptionsObject();
/*
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
disable Disable log option on this ACL element, (no log at all)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
inactive Keyword for disabling an ACL element
informational Informational messages (severity=6)
interval Configure log interval, default value is 300 sec
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
*/
QMap<QString, QString> logging_levels;
logging_levels["alerts"] = "alert";
logging_levels["critical"] = "crit";
logging_levels["debugging"] = "debug";
logging_levels["emergencies"] = "";
logging_levels["errors"] = "error";
logging_levels["informational"] = "info";
logging_levels["notifications"] = "notice";
logging_levels["warnings"] = "warning";
logging_levels["0"] = "";
logging_levels["1"] = "alert";
logging_levels["2"] = "crit";
logging_levels["3"] = "error";
logging_levels["4"] = "warning";
logging_levels["5"] = "notice";
logging_levels["6"] = "info";
logging_levels["7"] = "debug";
// QStringList log_levels = getLogLevels("pix");
rule->setLogging(logging);
QString log_level_qs = log_level.c_str();
if ( ! log_level_qs.isEmpty())
{
if (logging_levels.count(log_level_qs) != 0)
ropt->setStr("log_level", logging_levels[log_level_qs].toStdString());
else
ropt->setStr("log_level", log_level);
if (log_level_qs == "disable" || log_level_qs == "inactive")
ropt->setBool("disable_logging_for_this_rule", true);
}
if ( ! log_interval.empty())
{
bool ok = false;
int log_interval_int = QString(log_interval.c_str()).toInt(&ok);
if (ok)
ropt->setInt("log_interval", log_interval_int);
}
}