1 /* 2 3 Firewall Builder 4 5 Copyright (C) 2000 NetCitadel, LLC 6 7 Author: Vadim Kurland vadim@fwbuilder.org 8 9 10 Copyright (C) 2013 UNINETT AS 11 12 Author: Sirius Bakke <sirius.bakke@uninett.no> 13 14 This program is free software which we release under the GNU General Public 15 License. You may redistribute and/or modify this program under the terms 16 of that license as published by the Free Software Foundation; either 17 version 2 of the License, or (at your option) any later version. 18 19 This program is distributed in the hope that it will be useful, 20 but WITHOUT ANY WARRANTY; without even the implied warranty of 21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 GNU General Public License for more details. 23 24 To get a copy of the GNU General Public License, write to the Free Software 25 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 26 27 */ 28 29 30 #ifndef __RULE_HH_FLAG__ 31 #define __RULE_HH_FLAG__ 32 33 #include "fwbuilder/Group.h" 34 35 namespace libfwbuilder 36 { 37 38 class FWOptions; 39 40 class RuleElementSrc; 41 class RuleElementDst; 42 class RuleElementSrv; 43 class RuleElementItf; 44 class RuleElementOSrc; 45 class RuleElementODst; 46 class RuleElementOSrv; 47 class RuleElementTSrc; 48 class RuleElementTDst; 49 class RuleElementTSrv; 50 class RuleElementItfInb; 51 class RuleElementItfOutb; 52 class RuleElementInterval; 53 class RuleElementRDst; 54 class RuleElementRGtw; 55 class RuleElementRItf; 56 class RuleSet; 57 58 class Rule : public Group 59 { 60 /* these members are used only by compilers and are not stored in XML */ 61 std::string label; 62 bool fallback; 63 bool hidden; 64 std::string unique_id; 65 int abs_rule_number; 66 67 /* compilers store warnings and errors associated with this rule here. 68 */ 69 std::string compiler_message; 70 71 public: 72 73 Rule(); 74 75 /** 76 * This method should create any standard mandatory child objects 77 * the object might need. 78 */ 79 virtual void init(FWObjectDatabase *root); 80 81 DECLARE_FWOBJECT_SUBTYPE(Rule); 82 83 DECLARE_DISPATCH_METHODS(Rule); 84 85 void setPosition(int n); 86 int getPosition() const; 87 setCompilerMessage(const std::string & msg)88 void setCompilerMessage(const std::string &msg) { compiler_message = msg; } getCompilerMessage()89 std::string getCompilerMessage() { return compiler_message; } 90 91 void disable(); 92 void enable(); 93 bool isDisabled() const; 94 isFallback()95 bool isFallback() const { return fallback; } setFallback(bool f)96 void setFallback(bool f) { fallback=f; } 97 isHidden()98 bool isHidden() const { return hidden; } setHidden(bool f)99 void setHidden(bool f) { hidden=f; } 100 getUniqueId()101 std::string getUniqueId() const { return unique_id; } setUniqueId(const std::string & str)102 void setUniqueId(const std::string &str) { unique_id=str; } 103 getLabel()104 std::string getLabel() const { return label; } setLabel(const std::string & l)105 void setLabel(const std::string &l) { label=l; } 106 107 std::string getRuleGroupName() const; 108 void setRuleGroupName(const std::string &group_name); 109 getAbsRuleNumber()110 int getAbsRuleNumber() const { return abs_rule_number; } setAbsRuleNumber(int rn)111 void setAbsRuleNumber(int rn) { abs_rule_number=rn; } 112 113 virtual bool isEmpty(); 114 virtual bool isDummyRule(); 115 116 virtual FWObject& shallowDuplicate(const FWObject *obj, 117 bool preserve_id = true) 118 throw(FWException); 119 120 virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); 121 122 virtual FWOptions* getOptionsObject() const; 123 124 // find branch ruleset for policy rules with action Branch 125 // We may support some kind of branching in NAT in the future, so 126 // lets make this method virtual. 127 virtual RuleSet* getBranch(); 128 virtual void setBranch(RuleSet *ruleset); 129 isPrimaryObject()130 virtual bool isPrimaryObject() const { return false; } 131 }; 132 133 class PolicyRule : public Rule 134 { 135 public: 136 /* 137 * Supported policy rule actions: 138 * 139 * Accept - accept the packet, analysis terminates 140 * 141 * Reject - reject the packet and send ICMP 'unreachable' or 142 * TCP RST back to sender, analysis terminates 143 * 144 * Deny - drop the packet, nothing is sent back to sender, 145 * analysis terminates 146 * 147 * Scrub - run the packet through normalizer (see 'scrub' in 148 * PF), continue analysis 149 * 150 * Return - action used internally, meaning may depend on 151 * implementation of the policy compiler but generally 152 * means return from the block of rules 153 * 154 * Skip - skip N rules down and continue analysis. Used 155 * internally. 156 * 157 * Continue - do nothing, continue analysis. Used internally. 158 * 159 * Accounting - generate target firewall platform rule to count 160 * the packet and continue analysis. 161 * 162 * Modify - edit the packet (change some header values, like 163 * TOS bits) or mark it somehow if the kernel supports 164 * that (e.g. target MARK in iptables) 165 * 166 * Branch - 167 * 168 * Route - 169 * 170 */ 171 typedef enum { Unknown, 172 Accept, 173 Reject, 174 Deny, 175 Scrub, 176 Return, 177 Skip, 178 Continue, 179 Accounting, 180 Modify, 181 Pipe, 182 Custom, 183 Branch} Action; 184 185 typedef enum { Undefined, 186 Inbound, 187 Outbound, 188 Both } Direction; 189 190 private: 191 192 libfwbuilder::RuleElementSrc* src_re; 193 libfwbuilder::RuleElementDst* dst_re; 194 libfwbuilder::RuleElementSrv* srv_re; 195 libfwbuilder::RuleElementItf* itf_re; 196 libfwbuilder::RuleElementInterval* when_re; 197 Action action; 198 Direction direction; 199 200 protected: 201 virtual void updateNonStandardObjectReferences(); 202 203 public: 204 205 PolicyRule(); 206 207 /** 208 * This method should create any standard mandatory child objects 209 * the object might need. 210 */ 211 virtual void init(FWObjectDatabase *root); 212 213 virtual void fromXML(xmlNodePtr parent) throw(FWException); 214 virtual xmlNodePtr toXML (xmlNodePtr parent) throw(FWException); 215 virtual FWObject& shallowDuplicate(const FWObject *obj, 216 bool preserve_id = true) 217 throw(FWException); 218 virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); 219 220 DECLARE_FWOBJECT_SUBTYPE(PolicyRule); 221 222 DECLARE_DISPATCH_METHODS(PolicyRule); 223 224 virtual FWOptions* getOptionsObject() const; 225 226 virtual RuleSet* getBranch(); 227 virtual void setBranch(RuleSet *ruleset); 228 229 virtual bool isEmpty(); 230 virtual bool isDummyRule(); 231 232 /** 233 * Removes reference to given object among 234 * children of 'this'. 235 */ 236 virtual void removeRef(FWObject *obj); 237 238 /** 239 * Add reference to given object to 'this'. In case of a PolicyRule, 240 * change action and add parameter if @obj is TagService or RuleSet. 241 */ 242 virtual void addRef(FWObject *obj); 243 244 /** 245 * if this object has any references as its children, replace IDs 246 * these references point to. This overloaded method also replaces 247 * references to branch rulesets. 248 */ 249 virtual void replaceReferenceInternal(int old_id, int new_id, int &counter); 250 251 libfwbuilder::RuleElementSrc* getSrc() ; 252 libfwbuilder::RuleElementDst* getDst() ; 253 libfwbuilder::RuleElementSrv* getSrv() ; 254 libfwbuilder::RuleElementItf* getItf() ; 255 libfwbuilder::RuleElementInterval* getWhen() ; 256 getAction()257 Action getAction() const { return action; } setAction(Action act)258 void setAction(Action act) { action = act; } 259 260 static std::string getActionAsString(int act); 261 std::string getActionAsString() const; 262 void setAction(const std::string& act); 263 getDirection()264 Direction getDirection() const { return direction; } setDirection(Direction dir)265 void setDirection(Direction dir) { direction = dir; } 266 std::string getDirectionAsString() const; 267 void setDirection(const std::string& dir); 268 269 void setDummySource(); 270 void setDummyDestination(); 271 void setDummyService(); 272 void setDummyInterface(); 273 274 bool getLogging() const; 275 void setLogging(bool flag); 276 277 // return true if rule does tagging 278 bool getTagging() const; 279 void setTagging(bool f); 280 281 // return true if rule does routing 282 bool getRouting() const; 283 void setRouting(bool f); 284 285 // return true if rule does classification 286 bool getClassification() const; 287 void setClassification(bool f); 288 289 // find TagService object for rules that do tagging 290 FWObject* getTagObject(); 291 std::string getTagValue(); 292 void setTagObject(FWObject *tag_object); 293 }; 294 295 296 class NATRule : public Rule 297 { 298 public: 299 300 typedef enum { Translate, 301 Branch } NATAction; 302 303 /* 304 * Supported NAT rule types: 305 * 306 * Unknown - Uknown action 307 * 308 * NONAT - Exception to other nat rules 309 * 310 * SNAT - Source NAT - Translate Source Address 311 * 312 * Masq - Masquerading. 313 * 314 * DNAT - Destnation NAT - Translate Destination Address. 315 * 316 * SDNAT - Source & Destination NAT - Translate both source and 317 * destination addresses. 318 * 319 * SNetNAT - Source Network Translation - Translate source 320 * address network. 321 * 322 * DNetNAT - Destination Network Translation - Translate 323 * destination address network. 324 * 325 * Redirect - Redirect to firewall - Translate destination to a 326 * firewall address. 327 * 328 * Return - Internal use for rule chains. 329 * 330 * Skip - 331 * 332 * Continue - Internal use for nat rules with negation. 333 * 334 * LB - NAT Rule that does load ballencing. 335 * 336 * NOTE: Not all types supported on all platforms. 337 * 338 */ 339 typedef enum { Unknown, 340 NONAT, 341 NATBranch, 342 SNAT, 343 Masq, 344 DNAT, 345 SDNAT, 346 SNetnat, 347 DNetnat, 348 Redirect , 349 Return , 350 Skip , 351 Continue , 352 LB } NATRuleTypes; 353 354 private: 355 356 libfwbuilder::RuleElementOSrc* osrc_re; 357 libfwbuilder::RuleElementODst* odst_re; 358 libfwbuilder::RuleElementOSrv* osrv_re; 359 libfwbuilder::RuleElementTSrc* tsrc_re; 360 libfwbuilder::RuleElementTDst* tdst_re; 361 libfwbuilder::RuleElementTSrv* tsrv_re; 362 libfwbuilder::RuleElementItfInb* itf_inb_re; 363 libfwbuilder::RuleElementItfOutb* itf_outb_re; 364 libfwbuilder::RuleElementInterval* when_re; 365 NATAction action; 366 NATRuleTypes rule_type; 367 368 public: 369 370 NATRule(); 371 372 /** 373 * This method should create any standard mandatory child objects 374 * the object might need. 375 */ 376 virtual void init(FWObjectDatabase *root); 377 378 virtual void fromXML(xmlNodePtr parent) throw(FWException); 379 virtual xmlNodePtr toXML (xmlNodePtr parent) throw(FWException); 380 381 DECLARE_FWOBJECT_SUBTYPE(NATRule); 382 383 DECLARE_DISPATCH_METHODS(NATRule); 384 385 virtual FWOptions* getOptionsObject() const; 386 387 virtual RuleSet* getBranch(); 388 virtual void setBranch(RuleSet *ruleset); 389 390 virtual bool isEmpty(); 391 392 /** 393 * Removes reference to given object among 394 * children of 'this'. 395 */ 396 virtual void removeRef(FWObject *obj); 397 398 /** 399 * Add reference to given object to 'this'. In case of a PolicyRule, 400 * change action and add parameter if @obj is TagService or RuleSet. 401 */ 402 virtual void addRef(FWObject *obj); 403 404 libfwbuilder::RuleElementOSrc* getOSrc(); 405 libfwbuilder::RuleElementODst* getODst(); 406 libfwbuilder::RuleElementOSrv* getOSrv(); 407 libfwbuilder::RuleElementTSrc* getTSrc(); 408 libfwbuilder::RuleElementTDst* getTDst(); 409 libfwbuilder::RuleElementTSrv* getTSrv(); 410 libfwbuilder::RuleElementItfInb* getItfInb(); 411 libfwbuilder::RuleElementItfOutb* getItfOutb(); 412 libfwbuilder::RuleElementInterval* getWhen(); 413 getAction()414 NATAction getAction() const { return action; } setAction(NATAction act)415 void setAction(NATAction act) { action = act; } 416 417 static std::string getActionAsString(int act); 418 std::string getActionAsString() const; 419 void setAction(const std::string& act); 420 421 NATRuleTypes getRuleType() const; 422 std::string getRuleTypeAsString() const; 423 void setRuleType(NATRuleTypes rt); 424 425 virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true) 426 throw(FWException); 427 virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); 428 }; 429 430 class RoutingRule : public Rule 431 { 432 public: 433 434 typedef enum { Undefined, 435 SinglePath, 436 MultiPath } RoutingRuleTypes; 437 438 private: 439 440 RoutingRuleTypes rule_type; 441 std::string sorted_dst_ids; 442 // int ecmp_id; // Unused 443 444 public: 445 446 RoutingRule(); 447 448 /** 449 * This method should create any standard mandatory child objects 450 * the object might need. 451 */ 452 virtual void init(FWObjectDatabase *root); 453 454 virtual void fromXML(xmlNodePtr parent) throw(FWException); 455 virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException); 456 457 DECLARE_FWOBJECT_SUBTYPE(RoutingRule); 458 459 DECLARE_DISPATCH_METHODS(RoutingRule); 460 461 virtual FWOptions* getOptionsObject() const; 462 virtual RuleSet* getBranch(); 463 virtual bool isEmpty(); 464 465 int getMetric() const; 466 void setMetric(int metric); 467 void setMetric(std::string metric); 468 std::string getMetricAsString() const; 469 470 libfwbuilder::RuleElementRDst* getRDst() const; 471 libfwbuilder::RuleElementRGtw* getRGtw() const; 472 libfwbuilder::RuleElementRItf* getRItf() const; 473 474 RoutingRuleTypes getRuleType() const; 475 std::string getRuleTypeAsString() const; 476 void setRuleType(RoutingRuleTypes rt); 477 478 void setSortedDstIds(const std::string& ids); 479 std::string getSortedDstIds() const; 480 481 virtual FWObject& duplicate(const FWObject *obj, bool preserve_id = true) 482 throw(FWException); 483 }; 484 485 } 486 487 #endif //__RULE_HH_FLAG__ 488