bool PolicyCompiler_pf::addLoopbackForRedirect::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
PolicyCompiler_pf *pf_comp = dynamic_cast<PolicyCompiler_pf*>(compiler);
RuleElementDst *dst = rule->getDst();
RuleElementSrv *srv = rule->getSrv();
if (pf_comp->redirect_rules_info==NULL)
compiler->abort(
rule,
"addLoopbackForRedirect needs a valid pointer to "
"the list<NATCompiler_pf::redirectRuleInfo> object");
tmp_queue.push_back(rule);
if (pf_comp->redirect_rules_info->empty()) return true;
for (FWObject::iterator i=srv->begin(); i!=srv->end(); i++)
{
FWObject *o1 = FWReference::getObject(*i);
Service *s = Service::cast( o1 );
assert(s);
for (FWObject::iterator j=dst->begin(); j!=dst->end(); j++)
{
FWObject *o2 = FWReference::getObject(*j);
if (o2->getName() == "self" && DNSName::isA(o2)) continue;
Address *a = Address::cast( o2 );
assert(a);
list<NATCompiler_pf::redirectRuleInfo>::const_iterator k;
for (k=pf_comp->redirect_rules_info->begin();
k!=pf_comp->redirect_rules_info->end(); ++k)
{
Address *old_tdst_obj = Address::cast(
compiler->dbcopy->findInIndex(k->old_tdst));
Service *tsrv_obj = Service::cast(
compiler->dbcopy->findInIndex(k->tsrv));
if ( *a == *(old_tdst_obj) && *s == *(tsrv_obj) )
{
// insert address used for redirection in the NAT rule.
FWObject *new_tdst_obj = compiler->dbcopy->findInIndex(k->new_tdst);
dst->addRef(new_tdst_obj);
return true;
}
}
}
}
return true;
}
bool PolicyCompiler_pf::createTables::processNext()
{
PolicyCompiler_pf *pf_comp = dynamic_cast<PolicyCompiler_pf*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
RuleElementSrc *src = rule->getSrc();
RuleElementDst *dst = rule->getDst();
if (!src->isAny()) pf_comp->tables->createTablesForRE(src, rule);
if (!dst->isAny()) pf_comp->tables->createTablesForRE(dst, rule);
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_pf::splitIfFirewallInDst::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
PolicyRule *r;
RuleElementDst *dst = rule->getDst(); assert(dst);
if (dst->size()==1 || dst->getNeg())
{
tmp_queue.push_back(rule);
return true;
}
FWObject *fw_in_dst = NULL;
vector<FWObject*> cl;
for (FWObject::iterator i1=dst->begin(); i1!=dst->end(); ++i1)
{
FWObject *obj = FWReference::getObject(*i1);
if (obj==NULL)
compiler->abort(rule, "Broken Dst");
if (obj->getId()==compiler->getFwId())
{
fw_in_dst = obj;
RuleElementDst *ndst;
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
ndst = r->getDst();
ndst->clearChildren();
ndst->setAnyElement();
ndst->addRef( compiler->fw );
tmp_queue.push_back(r);
}
}
if (fw_in_dst!=NULL) dst->removeRef( fw_in_dst );
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_ipf::doDstNegation::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementDst *dst=rule->getDst();
if (dst->getNeg()) {
RuleElementDst *ndst;
PolicyRule *r;
FWOptions *ruleopt;
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setAction(PolicyRule::Continue);
r->setLogging(false);
ndst=r->getDst();
ndst->setNeg(false);
r->setBool("quick",false);
r->setBool("skip_check_for_duplicates",true);
ruleopt = r->getOptionsObject();
ruleopt->setBool("stateless", true);
tmp_queue.push_back(r);
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
ndst=r->getDst();
ndst->setNeg(false);
ndst->clearChildren();
ndst->setAnyElement();
r->setBool("quick",true);
r->setBool("skip_check_for_duplicates",true);
tmp_queue.push_back(r);
return true;
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_pf::doDstNegation::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementDst *dst=rule->getDst();
if (dst->getNeg()) {
RuleElementDst *ndst;
PolicyRule *r;
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
if (rule->getAction()==PolicyRule::Accept)
r->setAction(PolicyRule::Deny);
else
r->setAction(PolicyRule::Accept);
ndst=r->getDst();
ndst->setNeg(false);
r->setBool("quick",true);
r->setLogging(false);
tmp_queue.push_back(r);
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
ndst=r->getDst();
ndst->setNeg(false);
ndst->clearChildren();
ndst->setAnyElement();
r->setBool("quick",true);
tmp_queue.push_back(r);
return true;
}
tmp_queue.push_back(rule);
return true;
}
string PolicyCompiler::debugPrintRule(Rule *r)
{
PolicyRule *rule=PolicyRule::cast(r);
// FWOptions *ruleopt =rule->getOptionsObject();
RuleElementSrc *srcrel = rule->getSrc();
RuleElementDst *dstrel = rule->getDst();
RuleElementSrv *srvrel = rule->getSrv();
RuleElementItf *itfrel = rule->getItf();
// int iface_id = rule->getInterfaceId();
// Interface *rule_iface = Interface::cast(dbcopy->findInIndex(iface_id));
ostringstream str;
// str << setw(70) << setfill('-') << "-";
int no=0;
FWObject::iterator i1=srcrel->begin();
FWObject::iterator i2=dstrel->begin();
FWObject::iterator i3=srvrel->begin();
FWObject::iterator i4=itfrel->begin();
while ( i1!=srcrel->end() || i2!=dstrel->end() || i3!=srvrel->end() ||
i4!=itfrel->end())
{
str << endl;
string src=" ";
string dst=" ";
string srv=" ";
string itf=" ";
int src_id = -1;
int dst_id = -1;
int srv_id = -1;
if (srcrel->getNeg()) src = "!";
if (dstrel->getNeg()) dst = "!";
if (srvrel->getNeg()) srv = "!";
if (itfrel->getNeg()) itf = "!";
if (i1!=srcrel->end())
{
FWObject *o = FWReference::getObject(*i1);
src += o->getName();
src_id = o->getId();
}
if (i2!=dstrel->end())
{
FWObject *o = FWReference::getObject(*i2);
dst += o->getName();
dst_id = o->getId();
}
if (i3!=srvrel->end())
{
FWObject *o = FWReference::getObject(*i3);
srv += o->getName();
srv_id = o->getId();
}
if (i4!=itfrel->end())
{
ostringstream str;
FWObject *o = FWReference::getObject(*i4);
str << o->getName() << "(" << o->getId() << ")";
itf += str.str();
}
int w = 0;
if (no==0)
{
str << rule->getLabel();
w = rule->getLabel().length();
}
str << setw(10-w) << setfill(' ') << " ";
str << setw(18) << setfill(' ') << src.c_str() << "(" << src_id << ")";
str << setw(18) << setfill(' ') << dst.c_str() << "(" << dst_id << ")";
str << setw(12) << setfill(' ') << srv.c_str() << "(" << srv_id << ")";
str << setw(8) << setfill(' ') << itf.c_str();
if (no==0)
{
str << setw(9) << setfill(' ') << rule->getActionAsString().c_str();
str << setw(12) << setfill(' ') << rule->getDirectionAsString().c_str();
if (rule->getLogging()) str << " LOG";
} else
str << setw(18) << setfill(' ') << " ";
++no;
if ( i1!=srcrel->end() ) ++i1;
if ( i2!=dstrel->end() ) ++i2;
if ( i3!=srvrel->end() ) ++i3;
if ( i4!=itfrel->end() ) ++i4;
}
return str.str();
}
bool PolicyCompiler_pix::matchTranslatedAddresses::processNext()
{
PolicyRule *rule = getNext(); if (rule==nullptr) return false;
string version = compiler->fw->getStr("version");
transformed_rules.clear();
RuleElementSrc *srcrel = rule->getSrc();
RuleElementDst *dstrel = rule->getDst();
RuleElementSrv *srvrel = rule->getSrv();
for (list<FWObject*>::iterator i1=srcrel->begin(); i1!=srcrel->end(); ++i1)
{
for (list<FWObject*>::iterator i2=dstrel->begin(); i2!=dstrel->end(); ++i2)
{
for (list<FWObject*>::iterator i3=srvrel->begin(); i3!=srvrel->end(); ++i3)
{
FWObject *o1 = *i1;
FWObject *o2 = *i2;
FWObject *o3 = *i3;
FWObject *obj1 = nullptr;
FWObject *obj2 = nullptr;
FWObject *obj3 = nullptr;
obj1 = FWReference::getObject(o1);
Address *src = Address::cast(obj1);
assert(src!=nullptr);
obj2 = FWReference::getObject(o2);
Address *dst = Address::cast(obj2);
assert(dst!=nullptr);
obj3 = FWReference::getObject(o3);
Service *srv = Service::cast(obj3);
assert(srv!=nullptr);
list<NATRule*> tl = findMatchingNATRules(src, dst, srv);
for( list<NATRule*>::iterator t=tl.begin(); t!=tl.end(); ++t)
action(rule, *t, src, dst, srv);
}
}
}
/*
*list transformed_rules has all the atomic rules that have a matching
* NAT rule, with dst and srv already converted. We just add them to
* the policy on top of the original rule.
*/
list<PolicyRule*>::iterator i1;
for (i1=transformed_rules.begin(); i1!=transformed_rules.end(); ++i1)
{
PolicyRule *r=PolicyRule::cast( *i1 );
tmp_queue.push_back(r);
}
tmp_queue.push_back(rule);
return true;
}
void PolicyCompiler_pix::replaceTranslatedAddresses::action(
PolicyRule* policy_rule,
NATRule* nat_rule, Address *src, Address*, Service *srv)
{
// FWObject *rule_iface = compiler->dbcopy->findInIndex(
// policy_rule->getInterfaceId());
RuleElementItf *intf_re = policy_rule->getItf();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
RuleElement *re = nat_rule->getOSrc();
FWObject *o = FWReference::getObject(re->front());
#ifndef NDEBUG
Address *osrc = Address::cast(o); assert(osrc);
#endif
re = nat_rule->getODst();
o = FWReference::getObject(re->front());
Address *odst = Address::cast(o); assert(odst);
re = nat_rule->getOSrv();
o = FWReference::getObject(re->front());
Service *osrv = Service::cast(o); assert(osrv);
#ifndef NDEBUG
re = nat_rule->getTSrc();
o = FWReference::getObject(re->front());
Address *tsrc = Address::cast(o); assert(tsrc);
re = nat_rule->getTDst();
o = FWReference::getObject(re->front());
Address *tdst = Address::cast(o); assert(tdst);
re = nat_rule->getTSrv();
o = FWReference::getObject(re->front());
Service *tsrv = Service::cast(o); assert(tsrv);
#endif
FWObject *p = odst->getParent();
if (odst->getId() == rule_iface->getId() ||
p->getId() == rule_iface->getId())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(policy_rule);
RuleElementSrc *nsrc = r->getSrc();
nsrc->clearChildren();
nsrc->addRef( src );
RuleElementDst *ndst = r->getDst();
ndst->clearChildren();
ndst->addRef( odst );
RuleElementSrv *nsrv = r->getSrv();
nsrv->clearChildren();
if (osrv->isAny())
nsrv->addRef( srv );
else
nsrv->addRef( osrv );
transformed_rules.push_back(r);
}
}