/* * store all data in the object */ void pixosIfaceOptsDialog::accept() { // validate user input before saving if (!validate()) return; ProjectPanel *project = mw->activeProject(); std::unique_ptr<FWCmdChange> cmd( new FWCmdChange(project, obj)); // new_state is a copy of the interface object FWObject* new_state = cmd->getNewState(); FWOptions* ifopt = Interface::cast(new_state)->getOptionsObject(); assert(ifopt!=NULL); if (cluster_interface) { ifopt->setStr("type", "cluster_interface"); } else { QString new_type = m_dialog->iface_type->itemData( m_dialog->iface_type->currentIndex()).toString(); ifopt->setStr("type", new_type.toStdString()); } data.saveAll(ifopt); if (!cmd->getOldState()->cmp(new_state, true)) project->undoStack->push(cmd.release()); QDialog::accept(); }
void AutomaticRules_nxosacl::addSshAccessRule() { if (ruleset == NULL) return; FWOptions *fwopt = fw->getOptionsObject(); if (fwopt->getBool("mgmt_ssh") && ! fwopt->getStr("mgmt_addr").empty()) { AutomaticRules_cisco::addSshAccessRule(); /* * AutomaticRules_cisco::addDefaultPolicyRule() adds a rule to * permit backup ssh access to the firewall. Since NXOS ACL are * stateless, we need to add another rule to permit reply * packets. */ TCPService *ssh_rev = ruleset->getRoot()->createTCPService(); ssh_rev->setSrcRangeStart(22); ssh_rev->setSrcRangeEnd(22); persistent_objects->add(ssh_rev, false); Network *mgmt_workstation = ruleset->getRoot()->createNetwork(); mgmt_workstation->setAddressNetmask(fwopt->getStr("mgmt_addr")); persistent_objects->add(mgmt_workstation, false); addMgmtRule( fw, mgmt_workstation, ssh_rev, NULL, PolicyRule::Outbound, PolicyRule::Accept, "backup ssh access rule (out)"); } }
pixosIfaceOptsDialog::pixosIfaceOptsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::pixosIfaceOptsDialog_q; m_dialog->setupUi(this); setWindowModality(Qt::WindowModal); obj = o; FWOptions *ifopt = (Interface::cast(obj))->getOptionsObject(); cluster_interface = (Cluster::cast(obj->getParent()) != NULL); setInterfaceTypes(m_dialog->iface_type, Interface::cast(obj), ifopt->getStr("type").c_str()); // Using "type" control only for subinterfaces // and main interfaces of the firewall objects if (cluster_interface) { m_dialog->iface_type->hide(); m_dialog->iface_type_label->hide(); } else { m_dialog->iface_type->show(); m_dialog->iface_type_label->show(); } data.registerOption(m_dialog->vlan_id, ifopt, "vlan_id"); data.loadAll(); // special actions for different iface types // VLAN (8021q) typeChanged(""); }
QStringList instDialog::prepareArgForCompiler(Firewall *fw) { FWOptions *fwopt = fw->getOptionsObject(); QStringList args; /* * I should be able to specify custom compiler for firewall with * no platform (e.g. for experiments) */ string compiler = fwopt->getStr("compiler"); if (compiler=="") { compiler=Resources::platform_res[fw->getStr("platform")]->getCompiler(); } if (compiler=="") { QMessageBox::warning( this,"Firewall Builder", tr("Firewall platform is not specified in this object.\n\ Can't compile firewall policy."), tr("&Continue"), QString::null,QString::null, 0, 1 ); return args; // still empty list }
QString CompilerDriver_junosacl::assembleFwScript(Cluster *cluster, Firewall *fw, bool cluster_member, OSConfigurator *oscnf) { Configlet script_skeleton(fw, "junos", "script_skeleton"); Configlet top_comment(fw, "junos", "top_comment"); script_skeleton.setVariable("system_configuration_script", QString::fromUtf8(system_configuration_script.c_str())); script_skeleton.setVariable("policy_script", QString::fromUtf8(policy_script.c_str())); FWOptions* options = fw->getOptionsObject(); options->setStr("prolog_script", options->getStr("junosacl_prolog_script")); options->setStr("epilog_script", options->getStr("junosacl_epilog_script")); // we do not offer user a choice of the place where to put prolog // lines, therefore we can reset this attribute to make sure it // does not interfere options->setStr("prolog_place", ""); assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!", true); return script_skeleton.expand(); }
void Importer::setInterfaceVlanId(const std::string &vlan_id) { if (current_interface!=NULL) { FWOptions *ifopt = (Interface::cast(current_interface))->getOptionsObject(); ifopt->setStr("type", "8021q"); ifopt->setStr("vlan_id", vlan_id); } }
/* * This method builds and returns activation command * This method is used for all firewall platforms but PIX */ QString FirewallInstaller::getActivationCmd() { if (!cnf->activationCmd.isEmpty()) { return cnf->activationCmd; } FWOptions *fwopt = cnf->fwobj->getOptionsObject(); QString configlet_name = "installer_commands_"; if (cnf->user=="root") configlet_name += "root"; else configlet_name += "reg_user"; string host_os = cnf->fwobj->getStr("host_OS"); string os_family = Resources::os_res[host_os]-> getResourceStr("/FWBuilderResources/Target/family"); // installer configlets should be different for each OS, but if // some OS can use the same script, it will be placed in the file // under os_family name. For example: // for linksys/sveasoft configlet is in src/res/configlets/sveasoft // but since linux24 and openwrt can use the same script, it is // located in src/res/configlets/linux24 (openwrt.xml file defines // family as "linux24") Configlet configlet(host_os, os_family, configlet_name); configlet.removeComments(); configlet.collapseEmptyStrings(true); // test run and rollback were deprecated in 4.2.0. On Linux, BSD // and PIX rollback was implemented by rebooting firewall which is // too heavy-handed and it did not work on BSD at all. configlet.setVariable("test", false); configlet.setVariable("run", true); configlet.setVariable("with_rollback", false); configlet.setVariable("no_rollback", true); configlet.setVariable("firewall_name", QString::fromUtf8(cnf->fwobj->getName().c_str())); configlet.setVariable("with_compression", cnf->compressScript); configlet.setVariable("no_compression", ! cnf->compressScript); // On FreeBSD where we can generate either shell script or rc.conf // file, installation commands differ. // // TODO: find more generic way to do this so that GUI installer does not // have to be aware of the differences in generated file format. configlet.setVariable("rc_conf_format", fwopt->getBool("generate_rc_conf_file")); configlet.setVariable("shell_script_format", ! fwopt->getBool("generate_rc_conf_file")); replaceMacrosInCommand(&configlet); return configlet.expand().trimmed(); }
/* * Generate calls to the shell function update_addresses_of_interface * to add or remove ip addresses of interfaces. The following cases * are supported, depending on the value of * @add_virtual_addresses_for_nat and @configure_interfaces * * configure_interfaces == false && add_virtual_addresses_for_nat == false: * do not generate any commands * * configure_interfaces == false && add_virtual_addresses_for_nat == true: * use only virtual_addresses_for_nat, add normal addresses of the interface * to the list of addresses we should ignore * * configure_interfaces == true && add_virtual_addresses_for_nat == false: * ignore virtual_addresses_for_nat * * configure_interfaces == true && add_virtual_addresses_for_nat == true: * use virtual_addresses_for_nat * * */ string OSConfigurator_linux24::printInterfaceConfigurationCommands() { FWOptions* options = fw->getOptionsObject(); std::unique_ptr<interfaceProperties> int_prop( interfacePropertiesObjectFactory::getInterfacePropertiesObject( fw->getStr("host_OS"))); Configlet script(fw, "linux24", "configure_interfaces"); script.removeComments(); script.collapseEmptyStrings(true); list<FWObject*> interfaces = fw->getByTypeDeep(Interface::TYPENAME); bool need_promote_command = false; QStringList gencmd; list<FWObject*>::iterator i; for (i=interfaces.begin(); i!=interfaces.end(); ++i ) { Interface *iface = Interface::cast(*i); assert(iface); string iface_name = iface->getName(); QStringList update_addresses; QStringList ignore_addresses; if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses)) { if (options->getBool("manage_virtual_addr") && virtual_addresses_for_nat.count(iface_name) > 0) update_addresses.push_back( virtual_addresses_for_nat[iface_name].c_str()); // generate update_addresses calls even if interface has // no addresses in fwbuilder. This makes sure all // addresses it might have on the machine will be // removed. Say, interface was regular and had an address // and then user converted it to unnumbered. In this case // the address should be removed. gencmd.push_back( printUpdateAddressCommand(iface, update_addresses, ignore_addresses)); // update_addresses list looks like this: // ("eth0", "22.22.22.22/24", "22.22.22.23/24") // I need to add "promote" command only when there is more than 1 address. need_promote_command |= (update_addresses.size() > 2); } known_interfaces.push_back(iface_name); } script.setVariable("have_interfaces", interfaces.size() > 0); script.setVariable("need_promote_command", need_promote_command); script.setVariable("configure_interfaces_script", gencmd.join("\n")); return script.expand().toStdString() + "\n"; }
string PolicyCompiler_iosacl::PrintRule::_printLog(PolicyRule *rule) { if (rule->getLogging()) { FWOptions *ruleopt =rule->getOptionsObject(); if (ruleopt->getBool("iosacl_log_input")) return "log-input "; return "log "; } return ""; }
void NATCompiler_pf::PrintRule::_printNATRuleOptions(Rule *rule) { FWOptions *ruleopt =rule->getOptionsObject(); if (ruleopt->getBool("pf_bitmask")) compiler->output << "bitmask "; if (ruleopt->getBool("pf_random")) compiler->output << "random "; if (ruleopt->getBool("pf_source_hash")) compiler->output << "source-hash "; if (ruleopt->getBool("pf_round_robin")) compiler->output << "round-robin "; if (ruleopt->getBool("pf_static_port")) compiler->output << "static-port "; }
QString FirewallInstaller::getGeneratedFileName(Firewall *fw) { FWOptions *fwopt = fw->getOptionsObject(); QString generated_file; QString ofname = QString::fromUtf8(fwopt->getStr("output_file").c_str()).trimmed(); if (!ofname.isEmpty()) { generated_file = ofname; } else generated_file = QString::fromUtf8(fw->getName().c_str()) + ".fw"; return generated_file; }
OSConfigurator_linux24::OSConfigurator_linux24(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy) : OSConfigurator(_db, fw, ipv6_policy) , os_data(fw->getStr("host_OS")) { command_wrappers = new Configlet(fw, "linux24", "run_time_wrappers"); FWOptions* fwopt = fw->getOptionsObject(); string version = fw->getStr("version"); using_ipset = (XMLTools::version_compare(version, "1.4.1.1") >= 0 && fwopt->getBool("use_m_set")); }
bool PolicyCompiler_pf::ProcessScrubOption::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); if ( ruleopt->getBool("scrub") ) { if (rule->getAction()!=PolicyRule::Accept) { ruleopt->setBool("scrub",false); tmp_queue.push_back(rule); compiler->abort(rule, "Rule option 'scrub' is supported only for rules " "with action 'Accept'"); return true; } PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(PolicyRule::Scrub); r->getOptionsObject()->setBool("scrub",false); tmp_queue.push_back(r); ruleopt->setBool("scrub",false); tmp_queue.push_back(rule); return true; } /* if service is ip_fragment and action is 'Deny', then add rule with scrub */ Service *srv=compiler->getFirstSrv(rule); assert(srv); if ( (srv->getBool("short_fragm") || srv->getBool("fragm")) && ( rule->getAction()==PolicyRule::Deny || rule->getAction()==PolicyRule::Reject) ) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(PolicyRule::Scrub); r->getOptionsObject()->setBool("scrub",false); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; }
void Importer::newPolicyRule() { if (fwbdebug) qDebug() << "Importer::newPolicyRule()"; FWObjectDatabase *dbroot = getFirewallObject()->getRoot(); FWObject *nobj = dbroot->create(PolicyRule::TYPENAME); current_rule = Rule::cast(nobj); // check if all child objects were populated properly FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); ropt->setBool("stateless", true); }
bool PolicyCompiler_ipf::checkForKeepState::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); Service *srv=compiler->getFirstSrv(rule); assert(srv); FWOptions *ruleopt =rule->getOptionsObject(); if (! ICMPService::isA(srv) && ! UDPService::isA(srv) && ! TCPService::isA(srv) ) ruleopt->setBool("stateless",true); return true; }
secuwallIfaceOptsDialog::secuwallIfaceOptsDialog(QWidget *parent, FWObject *o) : QDialog(parent) { m_dialog = new Ui::secuwallIfaceOptsDialog_q; m_dialog->setupUi(this); obj = o; FWOptions *ifopt = (Interface::cast(obj))->getOptionsObject(); cluster_interface = (Cluster::cast(obj->getParent()) != NULL); setInterfaceTypes(m_dialog->iface_type, Interface::cast(obj), ifopt->getStr("type").c_str()); // Using "type" control only for subinterfaces // and main interfaces of the firewall objects if (cluster_interface) { m_dialog->iface_type->hide(); m_dialog->iface_type_label->hide(); } else { m_dialog->iface_type->show(); m_dialog->iface_type_label->show(); } data.registerOption(m_dialog->iface_mtu, ifopt, "iface_mtu"); data.registerOption(m_dialog->iface_disablearp, ifopt, "iface_disablearp"); data.registerOption(m_dialog->iface_disableboot, ifopt, "iface_disableboot"); data.registerOption(m_dialog->iface_options, ifopt, "iface_options"); data.registerOption(m_dialog->vlan_id, ifopt, "vlan_id"); data.loadAll(); // perform special actions for different iface types typeChanged(""); }
void OSConfigurator_bsd::setKernelVariable(Firewall *fw, const string &var_name, Configlet *configlet) { FWOptions* options = fw->getOptionsObject(); string s; s = options->getStr(var_name); if (!s.empty()) { configlet->setVariable(QString("have_") + var_name.c_str(), 1); configlet->setVariable(var_name.c_str(), s=="1" || s=="on" || s=="On"); } }
string OSConfigurator_linux24::getPathForATool(const std::string &os_variant, OSData_ipt::tools tool_name) { FWOptions* options = fw->getOptionsObject(); string attr = os_data.getAttributeNameForTool(tool_name); string s = options->getStr("linux24_" + attr); if (!s.empty()) return s; string host_os = fw->getStr("host_OS"); string r = "/FWBuilderResources/Target/tools/" + os_variant + "/" + attr; if (Resources::os_res[host_os]->getResourceStr(r).empty()) r = "/FWBuilderResources/Target/tools/Unknown/" + attr; return Resources::os_res[host_os]->getResourceStr(r); }
void Importer::pushRule() { assert(current_ruleset!=NULL); assert(current_rule!=NULL); // populate all elements of the rule PolicyRule *rule = PolicyRule::cast(current_rule); FWOptions *ropt = current_rule->getOptionsObject(); assert(ropt!=NULL); if (action=="permit") { rule->setAction(PolicyRule::Accept); ropt->setBool("stateless", false); } if (action=="deny") { rule->setAction(PolicyRule::Deny); ropt->setBool("stateless", true); } rule->setDirection(PolicyRule::Both); addSrc(); addDst(); addSrv(); addLogging(); // then add it to the current ruleset current_ruleset->ruleset->add(current_rule); if (error_tracker->hasWarnings()) { QStringList warn = error_tracker->getWarnings(); // parser errors and warnings are added to the log by // PFCfgParser::reportError() and PFCfgParser::reportWarning() // so we dont need to add them again here foreach(QString w, warn) { if (!w.startsWith("Parser warning:")) addMessageToLog("Warning: " + w); } markCurrentRuleBad(); }
bool PolicyCompiler_ipf::expandAnyService::processNext() { PolicyCompiler_ipf *pcomp=dynamic_cast<PolicyCompiler_ipf*>(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementSrv *srv=rule->getSrv(); FWOptions *ruleopt =rule->getOptionsObject(); if (srv->isAny() && ! ruleopt->getBool("stateless") && rule->getAction()==PolicyRule::Accept) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); RuleElementSrv *nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(pcomp->anyicmp); //compiler->dbcopy->findInIndex(ANY_ICMP_OBJ_ID)); tmp_queue.push_back(r); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(pcomp->anytcp); //compiler->dbcopy->findInIndex(ANY_TCP_OBJ_ID)); tmp_queue.push_back(r); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); nsrv=r->getSrv(); nsrv->clearChildren(); nsrv->addRef(pcomp->anyudp); //compiler->dbcopy->findInIndex(ANY_UDP_OBJ_ID)); tmp_queue.push_back(r); r = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); FWOptions *ruleopt =r->getOptionsObject(); ruleopt->setBool("stateless",true); tmp_queue.push_back(r); } else tmp_queue.push_back(rule); return true; }
string PolicyCompiler_junosacl::PrintRule::_printAction(PolicyRule *rule) { ostringstream str; switch (rule->getAction()) { case PolicyRule::Accept: str << "accept"; break; case PolicyRule::Deny: str << "discard"; break; case PolicyRule::Reject: str << "reject"; { FWOptions *ruleopt =rule->getOptionsObject(); string reason = ruleopt->getStr("action_on_reject"); if (!reason.empty()) str << " " << reject_icmp_reason.at(reason); } break; default: str << rule->getActionAsString() << ""; } return str.str(); }
string OSConfigurator_linux24::printIPForwardingCommands() { /* Turn on packet forwarding if we have to */ // string os_family = Resources::os_res[fw->getStr("host_OS")]-> // getResourceStr("/FWBuilderResources/Target/family"); FWOptions* options = fw->getOptionsObject(); Configlet ip_forwarding(fw, "linux24", "ip_forwarding"); ip_forwarding.removeComments(); ip_forwarding.collapseEmptyStrings(true); string s = options->getStr("linux24_ip_forward"); ip_forwarding.setVariable("ipv4", !s.empty()); ip_forwarding.setVariable("ipv4_forw", (s=="1" || s=="On" || s=="on")?1:0); s = options->getStr("linux24_ipv6_forward"); ip_forwarding.setVariable("ipv6", !s.empty()); ip_forwarding.setVariable("ipv6_forw", (s=="1" || s=="On" || s=="on")?1:0); return ip_forwarding.expand().toStdString(); }
string OSConfigurator_linux24::generateCodeForProtocolHandlers() { FWOptions* options = fw->getOptionsObject(); bool nomod = Resources::os_res[fw->getStr("host_OS")]-> Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_modules"); // string host_os = fw->getStr("host_OS"); // string os_family = Resources::os_res[host_os]-> // getResourceStr("/FWBuilderResources/Target/family"); Configlet load_modules(fw, "linux24", "load_modules"); load_modules.removeComments(); // See ticket #2 string modules_dir = Resources::os_res[fw->getStr("host_OS")]-> Resources::getResourceStr("/FWBuilderResources/Target/options/default/modules_dir"); /* there is no need to load modules on some platforms */ load_modules.setVariable("load_modules", options->getBool("load_modules") && !nomod); load_modules.setVariable("modules_dir", modules_dir.c_str()); return load_modules.expand().toStdString(); }
bool PolicyCompiler_ipf::doDstNegation::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; RuleElementDst *dst=rule->getDst(); if (dst->getNeg()) { RuleElementDst *ndst; PolicyRule *r; FWOptions *ruleopt; r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setAction(PolicyRule::Continue); r->setLogging(false); ndst=r->getDst(); ndst->setNeg(false); r->setBool("quick",false); r->setBool("skip_check_for_duplicates",true); ruleopt = r->getOptionsObject(); ruleopt->setBool("stateless", true); tmp_queue.push_back(r); r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); ndst=r->getDst(); ndst->setNeg(false); ndst->clearChildren(); ndst->setAnyElement(); r->setBool("quick",true); r->setBool("skip_check_for_duplicates",true); tmp_queue.push_back(r); return true; } tmp_queue.push_back(rule); return true; }
bool MangleTableCompiler_ipt::keepMangleTableRules::processNext() { PolicyRule *rule = getNext(); if (rule==NULL) return false; FWOptions *ruleopt = rule->getOptionsObject(); PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler); string ruleset_name = compiler->getRuleSetName(); FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject(); if (rulesetopts->getBool("mangle_only_rule_set")) tmp_queue.push_back(rule); else { if (rule->getAction() == PolicyRule::Branch && ruleopt->getBool("ipt_branch_in_mangle")) { PolicyRule* r; // this is a branching rule for mangle table. Need to put it // into PREROUTING and POSTROUTING chains as well because some // targets that work with mangle table can only go into these // chains, yet we do not know what kind of rules will user // place in the branch if (rule->getDirection()==PolicyRule::Undefined || rule->getDirection()==PolicyRule::Both || rule->getDirection()==PolicyRule::Inbound) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("ipt_chain","PREROUTING"); tmp_queue.push_back(r); } if (rule->getDirection()==PolicyRule::Undefined || rule->getDirection()==PolicyRule::Both || rule->getDirection()==PolicyRule::Outbound) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("ipt_chain","POSTROUTING"); tmp_queue.push_back(r); } // ticket #1415 User reports that only packets that went // through the FORWARD chain can match inbound "-i" and // outbound "-o" interface at the same time. Since we do // not allow both in and out interface matches in one rule // and have to use branch to do this, need to branch in // FORWARD chain as well so that inbound interface can be // matched in the branching rule and outbound interface // can be matched in a rule in the branch // // This is ugly, this means the branch will inspect the // packet at least twice - in PREROUTING and FORWARD, or // FORWARD and POSTROUTING chains. // // I mention above that some targets can only be used in // PREROUTING or POSTROUTING chains. It would help if // these tagrets worked in FORWARD chain, in that case we // could just branch in FORWARD instead of all thress chains. // r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); r->duplicate(rule); r->setStr("ipt_chain","FORWARD"); tmp_queue.push_back(r); // tmp_queue.push_back(rule); return true; } if (rule->getTagging() || rule->getRouting() || rule->getClassification() || ruleopt->getBool("put_in_mangle_table")) tmp_queue.push_back(rule); } return true; }
string OSConfigurator_pix_os::_printMPFPolicyMap() { ostringstream res; string platform = fw->getStr("platform"); string version = fw->getStr("version"); string vers = "version_" + version; FWOptions *options = fw->getOptionsObject(); assert(options!=NULL); std::list<InspectionClassMap> defaultClassMaps; std::list<InspectionClassMap> customClassMaps; std::map<std::string,int> DefaultInspectionInspectStatements; std::map<std::string,int> CustomInspectionInspectStatements; QStringList allowed_fixups = QString(Resources::platform_res[platform]->getResourceStr( "/FWBuilderResources/Target/options/" + vers + "/fixups/list").c_str()).split(","); defaultClassMaps.clear(); customClassMaps.clear(); DefaultInspectionInspectStatements.clear(); CustomInspectionInspectStatements.clear(); foreach (QString fixup_xml_element, allowed_fixups) { string f = options->getStr(fixup_xml_element.toAscii().constData()); if (!f.empty()) { QString fixup_name = fixup_xml_element.replace("_fixup", ""); int status; int p1,p2; string an; int av; istringstream str(f); str >> status >> p1 >> p2 >> an >> av; /* We should really fix this in the GUI and pass max length parameter * as an/av rather than as port p1 */ if (fixup_name == "dns" && p1 != 0) { an = "maximum-length"; av = p1; p1 = 53; } if (fixup_name.startsWith("ip_options")) { continue; } InspectionClassMap cm(fixup_name.toAscii().constData(), status, p1, p2, an, av); if (cm.isDefault()) defaultClassMaps.push_back(cm); else customClassMaps.push_back(cm); }
QString CompilerDriver_pix::assembleFwScript(Cluster *cluster, Firewall* fw, bool cluster_member, OSConfigurator *oscnf) { Configlet script_skeleton(fw, "pix_os", "script_skeleton"); Configlet top_comment(fw, "pix_os", "top_comment"); FWOptions* options = fw->getOptionsObject(); options->setStr("prolog_script", options->getStr("pix_prolog_script")); options->setStr("epilog_script", options->getStr("pix_epilog_script")); options->setStr("prolog_place", ""); string vers = fw->getStr("version"); string platform = fw->getStr("platform"); bool outbound_acl_supported = Resources::platform_res[platform]->getResourceBool( string("/FWBuilderResources/Target/options/")+ "version_"+vers+ "/pix_outbound_acl_supported"); bool afpa = options->getBool("pix_assume_fw_part_of_any"); bool emulate_outb_acls = options->getBool("pix_emulate_out_acl"); bool generate_outb_acls = options->getBool("pix_generate_out_acl"); top_comment.setVariable( "outbound_acl_supported", QString((outbound_acl_supported) ? "supported" : "not supported")); top_comment.setVariable("emulate_outb_acls", QString((emulate_outb_acls)?"yes":"no")); top_comment.setVariable("generate_outb_acls", QString((generate_outb_acls)?"yes":"no")); top_comment.setVariable("afpa", QString((afpa)?"yes":"no")); script_skeleton.setVariable("short_script", options->getBool("short_script")); script_skeleton.setVariable("not_short_script", ! options->getBool("short_script")); script_skeleton.setVariable("preamble_commands", QString::fromUtf8( preamble_commands.c_str())); script_skeleton.setVariable("clear_commands", QString::fromUtf8( clear_commands.c_str())); script_skeleton.setVariable("system_configuration_script", QString::fromUtf8( system_configuration_script.c_str())); script_skeleton.setVariable("named_objects_and_object_groups", QString::fromUtf8( named_objects_and_groups.c_str())); script_skeleton.setVariable("policy_script", QString::fromUtf8(policy_script.c_str())); script_skeleton.setVariable("nat_script", QString::fromUtf8(nat_script.c_str())); script_skeleton.setVariable("routing_script", QString::fromUtf8(routing_script.c_str())); assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!", true); return script_skeleton.expand(); }
QString CompilerDriver_pix::run(const std::string &cluster_id, const std::string &firewall_id, const std::string &single_rule_id) { Cluster *cluster = NULL; Firewall *fw = NULL; getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw); // Copy rules from the cluster object populateClusterElements(cluster, fw); if (cluster) { // PIX failover is dfferent from VRRP and other failover protocols // in that it does not create new virtual address. Instead, each // unit is configured with two ip addresses, one for the active // unit and another for standby one. When active unit fails, the // other one assumes its address. // // This matters because when we use cluster object or one of its // interfaces in rules, compiler should expand it to the set of // addresses that includes addresses of the corresponding // interface of both member firewalls. Method // CompilerDriver::copyFailoverInterface adds a copy of firewall // interface to the cluster object. This works for all firewalls, // but for PIX we need to add copies of interfaces from both // members. // FWObjectTypedChildIterator cl_iface = cluster->findByType(Interface::TYPENAME); for (; cl_iface != cl_iface.end(); ++cl_iface) { FailoverClusterGroup *failover_group = FailoverClusterGroup::cast( (*cl_iface)->getFirstByType(FailoverClusterGroup::TYPENAME)); if (failover_group) { //FWObject *this_member_interface = NULL; //UNUSED list<FWObject*> other_member_interfaces; for (FWObjectTypedChildIterator it = failover_group->findByType(FWObjectReference::TYPENAME); it != it.end(); ++it) { FWObject *intf = FWObjectReference::getObject(*it); assert(intf); //if (intf->isChildOf(fw)) this_member_interface = intf; //UNUSED //else other_member_interfaces.push_back(intf); if (!intf->isChildOf(fw)) other_member_interfaces.push_back(intf); } if (!other_member_interfaces.empty()) { for (list<FWObject*>::iterator it=other_member_interfaces.begin(); it!=other_member_interfaces.end(); ++it) { cluster->addCopyOf(*it, true); } } } } } #if 0 FWObjectTypedChildIterator iface = fw->findByType(Interface::TYPENAME); for (; iface != iface.end(); ++iface) { (*iface)->dump(true, true); } #endif determineOutputFileNames(cluster, fw, !cluster_id.empty(), QStringList(""), QStringList("fw"), QStringList("")); FWOptions* options = fw->getOptionsObject(); QString script_buffer; std::auto_ptr<NATCompiler_pix> n; std::auto_ptr<PolicyCompiler_pix> c; std::auto_ptr<RoutingCompiler_pix> r; try { clearReadOnly(fw); commonChecks2(cluster, fw); pixClusterConfigurationChecks(cluster, fw); // Note that fwobjectname may be different from the name of the // firewall fw This happens when we compile a member of a cluster current_firewall_name = fw->getName().c_str(); bool pix_acl_basic = options->getBool("pix_acl_basic"); bool pix_acl_no_clear = options->getBool("pix_acl_no_clear"); bool pix_acl_substitution = options->getBool("pix_acl_substitution"); bool pix_add_clear_statements = options->getBool("pix_add_clear_statements"); if (!pix_acl_basic && !pix_acl_no_clear && !pix_acl_substitution) { if ( pix_add_clear_statements ) options->setBool("pix_acl_basic",true); else options->setBool("pix_acl_no_clear",true); } list<FWObject*> all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); pixSecurityLevelChecks(fw, all_interfaces); pixNetworkZoneChecks(fw, all_interfaces); /* Now that all checks are done, we can drop copies of cluster * interfaces that were added to the firewall by * CompilerDriver::populateClusterElements() */ list<FWObject*> copies_of_cluster_interfaces; for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); if (iface->getOptionsObject()->getBool("cluster_interface")) copies_of_cluster_interfaces.push_back(iface); } while (copies_of_cluster_interfaces.size()) { fw->remove(copies_of_cluster_interfaces.front()); copies_of_cluster_interfaces.pop_front(); } NamedObjectsManagerPIX named_objects_manager(persistent_objects, fw); all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i) { Interface *iface = Interface::cast(*i); assert(iface); /* * missing labels on interfaces * */ if (iface->getLabel()=="") { string lbl; if (iface->isDedicatedFailover()) { // dedicated failover interface misses label. This // interface can be used in failover cluster group // or state sync group. Assign label depending on // the function. FWObjectTypedChildIterator it = cluster->findByType(StateSyncClusterGroup::TYPENAME); StateSyncClusterGroup *state_sync_group = StateSyncClusterGroup::cast(*it); if (state_sync_group && state_sync_group->hasMember(iface)) lbl = "state"; if (!iface->getOptionsObject()->getStr("failover_group_id").empty()) lbl = "failover"; } if (lbl.empty()) { if (iface->getSecurityLevel()==0) lbl="outside"; else { if (iface->getSecurityLevel()==100) lbl="inside"; else { QString l("dmz%1"); lbl = l.arg(iface->getSecurityLevel()).toStdString(); } } } iface->setLabel(lbl); } } /* * now sort interfaces by their network zone "width" (that * is, more narrow network zone should go first, interface * with network zone "any" should be the last) * std::sort(fw->begin(), fw->end(), sort_by_net_zone() ); */ try { AutomaticRules_cisco auto_rules(fw, persistent_objects); auto_rules.addSshAccessRule(); } catch (FWException &ex) { abort(ex.toString()); } std::auto_ptr<Preprocessor> prep( new Preprocessor(objdb , fw, false)); if (inTestMode()) prep->setTestMode(); if (inEmbeddedMode()) prep->setEmbeddedMode(); prep->compile(); std::auto_ptr<OSConfigurator> oscnf( new OSConfigurator_pix_os(objdb , fw, false)); if (inTestMode()) oscnf->setTestMode(); if (inEmbeddedMode()) oscnf->setEmbeddedMode(); oscnf->prolog(); oscnf->processFirewallOptions(); bool have_named_objects = false; bool have_object_groups = false; /* create compilers and run the whole thing */ string version = fw->getStr("version"); if (XMLTools::version_compare(version, "8.3")>=0) n = std::auto_ptr<NATCompiler_pix>( new NATCompiler_asa8(objdb, fw, false, oscnf.get())); else n = std::auto_ptr<NATCompiler_pix>( new NATCompiler_pix(objdb, fw, false, oscnf.get())); RuleSet *nat = RuleSet::cast(fw->getFirstByType(NAT::TYPENAME)); if (nat) { nat->assignUniqueRuleIds(); n->setNamedObjectsManager(&named_objects_manager); n->setSourceRuleSet(nat); n->setRuleSetName(nat->getName()); n->setPersistentObjects(persistent_objects); if (inTestMode()) n->setTestMode(); if (inEmbeddedMode()) n->setEmbeddedMode(); n->setSingleRuleCompileMode(single_rule_id); n->setDebugLevel( dl ); if (rule_debug_on) n->setDebugRule( drn ); n->setVerbose( verbose ); if ( n->prolog() > 0 ) { n->compile(); n->epilog(); preamble_commands += n->printPreambleCommands(); clear_commands += n->printClearCommands(); have_named_objects = (have_named_objects || named_objects_manager.haveNamedObjects()); have_object_groups = (have_object_groups || named_objects_manager.haveObjectGroups()); //named_objects_manager.saveObjectGroups(); } else info(" Nothing to compile in NAT"); } c = std::auto_ptr<PolicyCompiler_pix>( new PolicyCompiler_pix(objdb, fw, false, oscnf.get() , n.get())); RuleSet *policy = RuleSet::cast(fw->getFirstByType(Policy::TYPENAME)); if (policy) { policy->assignUniqueRuleIds(); c->setNamedObjectsManager(&named_objects_manager); c->setSourceRuleSet(policy); c->setRuleSetName(policy->getName()); c->setPersistentObjects(persistent_objects); if (inTestMode()) c->setTestMode(); if (inEmbeddedMode()) c->setEmbeddedMode(); c->setSingleRuleCompileMode(single_rule_id); c->setDebugLevel( dl ); if (rule_debug_on) c->setDebugRule( drp ); c->setVerbose( verbose ); if ( c->prolog() > 0 ) { c->compile(); c->epilog(); preamble_commands += c->printPreambleCommands(); clear_commands += c->printClearCommands(); have_named_objects = (have_named_objects || named_objects_manager.haveNamedObjects()); have_object_groups = (have_object_groups || named_objects_manager.haveObjectGroups()); //named_objects_manager.saveObjectGroups(); } else info(" Nothing to compile in Policy"); } r = std::auto_ptr<RoutingCompiler_pix>( new RoutingCompiler_pix(objdb, fw, false, oscnf.get())); RuleSet *routing = RuleSet::cast(fw->getFirstByType(Routing::TYPENAME)); if (routing) { routing->assignUniqueRuleIds(); r->setNamedObjectsManager(&named_objects_manager); r->setSourceRuleSet(routing); r->setRuleSetName(routing->getName()); r->setPersistentObjects(persistent_objects); if (inTestMode()) r->setTestMode(); if (inEmbeddedMode()) r->setEmbeddedMode(); r->setSingleRuleCompileMode(single_rule_id); r->setDebugLevel( dl ); if (rule_debug_on) r->setDebugRule( drp ); r->setVerbose( verbose ); if ( r->prolog() > 0 ) { r->compile(); r->epilog(); } else info(" Nothing to compile in Routing"); } /* * compilers detach persistent objects when they finish, this * means at this point library persistent_objects is not part * of any object tree. */ objdb->reparent(persistent_objects); if (haveErrorsAndWarnings()) { all_errors.push_front(getErrors("").c_str()); } policy_script = c->getCompiledScript(); nat_script = n->getCompiledScript(); routing_script = r->getCompiledScript(); named_objects_and_groups = named_objects_manager.getNamedObjectsDefinitions(); if (c->haveErrorsAndWarnings()) all_errors.push_back(c->getErrors("C ").c_str()); if (n->haveErrorsAndWarnings()) all_errors.push_back(n->getErrors("N ").c_str()); if (r->haveErrorsAndWarnings()) all_errors.push_back(r->getErrors("R ").c_str()); if (single_rule_compile_on) { return formSingleRuleCompileOutput( QString::fromUtf8( (named_objects_and_groups + policy_script + nat_script + routing_script).c_str())); } system_configuration_script = oscnf->getCompiledScript(); system_configuration_script += "\n"; clear_commands += named_objects_manager.getClearCommands() + "\n"; // system_configuration_script += preamble_commands; // system_configuration_script += clear_commands; script_buffer = assembleFwScript( cluster, fw, !cluster_id.empty(), oscnf.get()); QString ofname = getAbsOutputFileName(file_names[FW_FILE]); info("Output file name: " + ofname.toStdString()); QFile fw_file(ofname); if (fw_file.open(QIODevice::WriteOnly)) { QTextStream fw_str(&fw_file); fw_str << script_buffer; fw_file.close(); fw_file.setPermissions(QFile::ReadOwner | QFile::WriteOwner | QFile::ReadGroup | QFile::ReadOther | QFile::ExeOwner | QFile::ExeGroup | QFile::ExeOther ); info(" Compiled successfully"); } else { QString err(" Failed to open file %1 for writing: %2; Current dir: %3"); abort(err.arg(fw_file.fileName()) .arg(fw_file.error()).arg(QDir::current().path()).toStdString()); } if (!all_errors.isEmpty()) status = BaseCompiler::FWCOMPILER_WARNING; } catch (FWException &ex) { status = BaseCompiler::FWCOMPILER_ERROR; return QString::fromUtf8(ex.toString().c_str()); } return ""; }
string OSConfigurator_bsd::printFunctions() { ostringstream ostr; FWOptions* options = fw->getOptionsObject(); string host_os = fw->getStr("host_OS"); string version = fw->getStr("version"); Configlet functions(fw, "bsd", "shell_functions"); functions.removeComments(); functions.setVariable("dyn_addr", options->getBool("dynAddr")); if (options->getBool("dynAddr")) { /* * get addresses of dynamic interfaces */ QString script_buffer; QTextStream ostr(&script_buffer, QIODevice::WriteOnly); FWObjectTypedChildIterator j=fw->findByType(Interface::TYPENAME); for ( ; j!=j.end(); ++j ) { Interface *iface=Interface::cast(*j); if ( iface->isDyn() ) { /* if interface name ends with '*', this is a wildcard interface. Do * not get its address at this time. * * Do we support wildcard interfaces on *BSD at all ? */ if (iface->getName().find("*")==string::npos) ostr << "getaddr " << iface->getName().c_str() << " " << getInterfaceVarName(iface).c_str() << "\n"; } } functions.setVariable("get_dyn_addr_commands", script_buffer); } else functions.setVariable("get_dyn_addr_commands", ""); ostr << functions.expand().toStdString(); if ( options->getBool("configure_interfaces") ) { Configlet update_addresses(fw, "bsd", "update_addresses"); update_addresses.removeComments(); update_addresses.setVariable("freebsd", host_os == "freebsd"); update_addresses.setVariable("openbsd", host_os == "openbsd"); ostr << update_addresses.expand().toStdString(); } if ( options->getBool("configure_vlan_interfaces") ) { Configlet update_vlans(fw, "bsd", "update_vlans"); update_vlans.removeComments(); update_vlans.setVariable("freebsd", host_os == "freebsd"); update_vlans.setVariable("openbsd", host_os == "openbsd"); ostr << update_vlans.expand().toStdString(); } if (options->getBool("configure_bridge_interfaces")) { Configlet update_bridge(fw, "bsd", "update_bridge"); update_bridge.removeComments(); update_bridge.setVariable("freebsd", host_os == "freebsd"); if (host_os == "openbsd") { update_bridge.setVariable("openbsd", true); update_bridge.setVariable("openbsd_lt_47", XMLTools::version_compare(version, "4.7")<0); update_bridge.setVariable("openbsd_ge_47", XMLTools::version_compare(version, "4.7")>=0); } ostr << update_bridge.expand().toStdString(); } if ( options->getBool("configure_carp_interfaces") ) { Configlet update_carp(fw, "bsd", "update_carp"); update_carp.removeComments(); update_carp.setVariable("freebsd", host_os == "freebsd"); update_carp.setVariable("openbsd", host_os == "openbsd"); ostr << update_carp.expand().toStdString(); } if ( options->getBool("configure_pfsync_interfaces") ) { Configlet update_pfsync(fw, "bsd", "update_pfsync"); update_pfsync.removeComments(); update_pfsync.setVariable("freebsd", host_os == "freebsd"); update_pfsync.setVariable("openbsd", host_os == "openbsd"); ostr << update_pfsync.expand().toStdString(); } return ostr.str(); }
void PFImporter::addLogging() { PolicyRule *rule = PolicyRule::cast(current_rule); FWOptions *ropt = rule->getOptionsObject(); /* alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) disable Disable log option on this ACL element, (no log at all) emergencies System is unusable (severity=0) errors Error conditions (severity=3) inactive Keyword for disabling an ACL element informational Informational messages (severity=6) interval Configure log interval, default value is 300 sec notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) */ QMap<QString, QString> logging_levels; logging_levels["alerts"] = "alert"; logging_levels["critical"] = "crit"; logging_levels["debugging"] = "debug"; logging_levels["emergencies"] = ""; logging_levels["errors"] = "error"; logging_levels["informational"] = "info"; logging_levels["notifications"] = "notice"; logging_levels["warnings"] = "warning"; logging_levels["0"] = ""; logging_levels["1"] = "alert"; logging_levels["2"] = "crit"; logging_levels["3"] = "error"; logging_levels["4"] = "warning"; logging_levels["5"] = "notice"; logging_levels["6"] = "info"; logging_levels["7"] = "debug"; // QStringList log_levels = getLogLevels("pix"); rule->setLogging(logging); QString log_level_qs = log_level.c_str(); if ( ! log_level_qs.isEmpty()) { if (logging_levels.count(log_level_qs) != 0) ropt->setStr("log_level", logging_levels[log_level_qs].toStdString()); else ropt->setStr("log_level", log_level); if (log_level_qs == "disable" || log_level_qs == "inactive") ropt->setBool("disable_logging_for_this_rule", true); } if ( ! log_interval.empty()) { bool ok = false; int log_interval_int = QString(log_interval.c_str()).toInt(&ok); if (ok) ropt->setInt("log_interval", log_interval_int); } }