1 /*
2 
3                           Firewall Builder
4 
5                  Copyright (C) 2000 NetCitadel, LLC
6 
7   Author:  Vadim Kurland     vadim@fwbuilder.org
8 
9 
10                  Copyright (C) 2013 UNINETT AS
11 
12   Author:  Sirius Bakke <sirius.bakke@uninett.no>
13 
14   This program is free software which we release under the GNU General Public
15   License. You may redistribute and/or modify this program under the terms
16   of that license as published by the Free Software Foundation; either
17   version 2 of the License, or (at your option) any later version.
18 
19   This program is distributed in the hope that it will be useful,
20   but WITHOUT ANY WARRANTY; without even the implied warranty of
21   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
22   GNU General Public License for more details.
23 
24   To get a copy of the GNU General Public License, write to the Free Software
25   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
26 
27 */
28 
29 
30 #ifndef __RULE_HH_FLAG__
31 #define __RULE_HH_FLAG__
32 
33 #include "fwbuilder/Group.h"
34 
35 namespace libfwbuilder
36 {
37 
38     class FWOptions;
39 
40     class RuleElementSrc;
41     class RuleElementDst;
42     class RuleElementSrv;
43     class RuleElementItf;
44     class RuleElementOSrc;
45     class RuleElementODst;
46     class RuleElementOSrv;
47     class RuleElementTSrc;
48     class RuleElementTDst;
49     class RuleElementTSrv;
50     class RuleElementItfInb;
51     class RuleElementItfOutb;
52     class RuleElementInterval;
53     class RuleElementRDst;
54     class RuleElementRGtw;
55     class RuleElementRItf;
56     class RuleSet;
57 
58 class Rule : public Group
59 {
60     /* these members are used only by compilers and are not stored in XML */
61     std::string label;
62     bool        fallback;
63     bool        hidden;
64     std::string unique_id;
65     int         abs_rule_number;
66 
67     /* compilers store warnings and errors associated with this rule here.
68      */
69     std::string compiler_message;
70 
71     public:
72 
73     Rule();
74 
75     /**
76      * This method should create any standard mandatory child objects
77      * the object might need.
78      */
79     virtual void init(FWObjectDatabase *root);
80 
81     DECLARE_FWOBJECT_SUBTYPE(Rule);
82 
83     DECLARE_DISPATCH_METHODS(Rule);
84 
85     void setPosition(int n);
86     int  getPosition() const;
87 
setCompilerMessage(const std::string & msg)88     void setCompilerMessage(const std::string &msg) { compiler_message = msg; }
getCompilerMessage()89     std::string getCompilerMessage() { return compiler_message; }
90 
91     void disable();
92     void enable();
93     bool isDisabled() const;
94 
isFallback()95     bool isFallback() const { return fallback; }
setFallback(bool f)96     void setFallback(bool f) { fallback=f; }
97 
isHidden()98     bool isHidden() const { return hidden; }
setHidden(bool f)99     void setHidden(bool f) { hidden=f; }
100 
getUniqueId()101     std::string getUniqueId() const { return unique_id; }
setUniqueId(const std::string & str)102     void setUniqueId(const std::string &str) { unique_id=str; }
103 
getLabel()104     std::string getLabel() const { return label; }
setLabel(const std::string & l)105     void setLabel(const std::string &l) { label=l; }
106 
107     std::string getRuleGroupName() const;
108     void setRuleGroupName(const std::string &group_name);
109 
getAbsRuleNumber()110     int  getAbsRuleNumber() const { return abs_rule_number; }
setAbsRuleNumber(int rn)111     void setAbsRuleNumber(int rn) { abs_rule_number=rn; }
112 
113     virtual bool isEmpty();
114     virtual bool isDummyRule();
115 
116     virtual FWObject& shallowDuplicate(const FWObject *obj,
117                                        bool preserve_id = true)
118         throw(FWException);
119 
120     virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException);
121 
122     virtual FWOptions* getOptionsObject() const;
123 
124     // find branch ruleset for policy rules with action Branch
125     // We may support some kind of  branching in NAT in the future, so
126     // lets make this method virtual.
127     virtual RuleSet* getBranch();
128     virtual void setBranch(RuleSet *ruleset);
129 
isPrimaryObject()130     virtual bool isPrimaryObject() const { return false; }
131 };
132 
133 class PolicyRule : public Rule
134 {
135     public:
136 /*
137  * Supported policy rule actions:
138  *
139  *        Accept - accept the packet, analysis terminates
140  *
141  *        Reject - reject the packet and send ICMP 'unreachable' or
142  *                 TCP RST back to sender, analysis terminates
143  *
144  *        Deny   - drop the packet, nothing is sent back to sender,
145  *                 analysis terminates
146  *
147  *        Scrub  - run the packet through normalizer (see 'scrub' in
148  *                 PF), continue analysis
149  *
150  *        Return - action used internally, meaning may depend on
151  *                 implementation of the policy compiler but generally
152  *                 means return from the block of rules
153  *
154  *        Skip   - skip N rules down and continue analysis. Used
155  *                 internally.
156  *
157  *        Continue - do nothing, continue analysis. Used internally.
158  *
159  *        Accounting - generate target firewall platform rule to count
160  *                 the packet and continue analysis.
161  *
162  *        Modify - edit the packet (change some header values, like
163  *                 TOS bits) or mark it somehow if the kernel supports
164  *                 that (e.g. target MARK in iptables)
165  *
166  *	  Branch -
167  *
168  *        Route -
169  *
170  */
171     typedef enum { Unknown,
172                    Accept,
173                    Reject,
174                    Deny,
175                    Scrub,
176                    Return,
177                    Skip,
178                    Continue,
179                    Accounting,
180                    Modify,
181                    Pipe,
182                    Custom,
183                    Branch} Action;
184 
185     typedef enum { Undefined,
186                    Inbound,
187                    Outbound,
188                    Both } Direction;
189 
190 private:
191 
192     libfwbuilder::RuleElementSrc* src_re;
193     libfwbuilder::RuleElementDst* dst_re;
194     libfwbuilder::RuleElementSrv* srv_re;
195     libfwbuilder::RuleElementItf* itf_re;
196     libfwbuilder::RuleElementInterval* when_re;
197     Action action;
198     Direction direction;
199 
200 protected:
201     virtual void updateNonStandardObjectReferences();
202 
203 public:
204 
205     PolicyRule();
206 
207     /**
208      * This method should create any standard mandatory child objects
209      * the object might need.
210      */
211     virtual void init(FWObjectDatabase *root);
212 
213     virtual void fromXML(xmlNodePtr parent) throw(FWException);
214     virtual xmlNodePtr toXML      (xmlNodePtr parent) throw(FWException);
215     virtual FWObject& shallowDuplicate(const FWObject *obj,
216                                        bool preserve_id = true)
217         throw(FWException);
218     virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException);
219 
220     DECLARE_FWOBJECT_SUBTYPE(PolicyRule);
221 
222     DECLARE_DISPATCH_METHODS(PolicyRule);
223 
224     virtual FWOptions* getOptionsObject() const;
225 
226     virtual RuleSet* getBranch();
227     virtual void setBranch(RuleSet *ruleset);
228 
229     virtual bool isEmpty();
230     virtual bool isDummyRule();
231 
232     /**
233      * Removes reference to given object among
234      * children of 'this'.
235      */
236     virtual void removeRef(FWObject *obj);
237 
238     /**
239      * Add reference to given object to 'this'. In case of a PolicyRule,
240      * change action and add parameter if @obj is TagService or RuleSet.
241      */
242     virtual void addRef(FWObject *obj);
243 
244     /**
245      * if this object has any references as its children, replace IDs
246      * these references point to. This overloaded method also replaces
247      * references to branch rulesets.
248      */
249     virtual void replaceReferenceInternal(int old_id, int new_id, int &counter);
250 
251     libfwbuilder::RuleElementSrc*  getSrc() ;
252     libfwbuilder::RuleElementDst*  getDst() ;
253     libfwbuilder::RuleElementSrv*  getSrv() ;
254     libfwbuilder::RuleElementItf*  getItf() ;
255     libfwbuilder::RuleElementInterval* getWhen() ;
256 
getAction()257     Action getAction() const { return action; }
setAction(Action act)258     void   setAction(Action act) { action = act; }
259 
260     static std::string getActionAsString(int act);
261     std::string getActionAsString() const;
262     void   setAction(const std::string& act);
263 
getDirection()264     Direction getDirection() const { return direction; }
setDirection(Direction dir)265     void   setDirection(Direction dir) { direction = dir; }
266     std::string getDirectionAsString() const;
267     void   setDirection(const std::string& dir);
268 
269     void setDummySource();
270     void setDummyDestination();
271     void setDummyService();
272     void setDummyInterface();
273 
274     bool getLogging() const;
275     void setLogging(bool flag);
276 
277     // return true if rule does tagging
278     bool getTagging() const;
279     void setTagging(bool f);
280 
281     // return true if rule does routing
282     bool getRouting() const;
283     void setRouting(bool f);
284 
285     // return true if rule does classification
286     bool getClassification() const;
287     void setClassification(bool f);
288 
289     // find TagService object for rules that do tagging
290     FWObject* getTagObject();
291     std::string getTagValue();
292     void setTagObject(FWObject *tag_object);
293 };
294 
295 
296 class NATRule : public Rule
297 {
298 public:
299 
300     typedef enum { Translate,
301                    Branch } NATAction;
302 
303 /*
304  *  Supported NAT rule types:
305  *
306  *      Unknown - Uknown action
307  *
308  *      NONAT - Exception to other nat rules
309  *
310  *      SNAT - Source NAT - Translate Source Address
311  *
312  *      Masq - Masquerading.
313  *
314  *      DNAT - Destnation NAT - Translate Destination Address.
315  *
316  *      SDNAT - Source & Destination NAT - Translate both source and
317  *      destination addresses.
318  *
319  *      SNetNAT - Source Network Translation - Translate source
320  *      address network.
321  *
322  *      DNetNAT - Destination Network Translation - Translate
323  *      destination address network.
324  *
325  *      Redirect - Redirect to firewall - Translate destination to a
326  *      firewall address.
327  *
328  *      Return - Internal use for rule chains.
329  *
330  *      Skip -
331  *
332  *      Continue - Internal use for nat rules with negation.
333  *
334  *      LB - NAT Rule that does load ballencing.
335  *
336  *  NOTE: Not all types supported on all platforms.
337  *
338  */
339     typedef enum { Unknown,
340                    NONAT,
341                    NATBranch,
342                    SNAT,
343                    Masq,
344                    DNAT,
345                    SDNAT,
346                    SNetnat,
347                    DNetnat,
348                    Redirect ,
349                    Return ,
350                    Skip ,
351                    Continue ,
352                    LB }  NATRuleTypes;
353 
354 private:
355 
356     libfwbuilder::RuleElementOSrc*      osrc_re;
357     libfwbuilder::RuleElementODst*      odst_re;
358     libfwbuilder::RuleElementOSrv*      osrv_re;
359     libfwbuilder::RuleElementTSrc*      tsrc_re;
360     libfwbuilder::RuleElementTDst*      tdst_re;
361     libfwbuilder::RuleElementTSrv*      tsrv_re;
362     libfwbuilder::RuleElementItfInb*    itf_inb_re;
363     libfwbuilder::RuleElementItfOutb*   itf_outb_re;
364     libfwbuilder::RuleElementInterval* when_re;
365     NATAction action;
366     NATRuleTypes  rule_type;
367 
368 public:
369 
370     NATRule();
371 
372     /**
373      * This method should create any standard mandatory child objects
374      * the object might need.
375      */
376     virtual void init(FWObjectDatabase *root);
377 
378     virtual void fromXML(xmlNodePtr parent) throw(FWException);
379     virtual xmlNodePtr toXML      (xmlNodePtr parent) throw(FWException);
380 
381     DECLARE_FWOBJECT_SUBTYPE(NATRule);
382 
383     DECLARE_DISPATCH_METHODS(NATRule);
384 
385     virtual FWOptions* getOptionsObject() const;
386 
387     virtual RuleSet* getBranch();
388     virtual void setBranch(RuleSet *ruleset);
389 
390     virtual bool isEmpty();
391 
392     /**
393      * Removes reference to given object among
394      * children of 'this'.
395      */
396     virtual void removeRef(FWObject *obj);
397 
398     /**
399      * Add reference to given object to 'this'. In case of a PolicyRule,
400      * change action and add parameter if @obj is TagService or RuleSet.
401      */
402     virtual void addRef(FWObject *obj);
403 
404     libfwbuilder::RuleElementOSrc* getOSrc();
405     libfwbuilder::RuleElementODst* getODst();
406     libfwbuilder::RuleElementOSrv* getOSrv();
407     libfwbuilder::RuleElementTSrc* getTSrc();
408     libfwbuilder::RuleElementTDst* getTDst();
409     libfwbuilder::RuleElementTSrv* getTSrv();
410     libfwbuilder::RuleElementItfInb* getItfInb();
411     libfwbuilder::RuleElementItfOutb* getItfOutb();
412     libfwbuilder::RuleElementInterval* getWhen();
413 
getAction()414     NATAction getAction() const { return action; }
setAction(NATAction act)415     void setAction(NATAction act) { action = act; }
416 
417     static std::string getActionAsString(int act);
418     std::string getActionAsString() const;
419     void setAction(const std::string& act);
420 
421     NATRuleTypes getRuleType() const;
422     std::string  getRuleTypeAsString() const;
423     void setRuleType(NATRuleTypes rt);
424 
425     virtual FWObject& shallowDuplicate(const FWObject *obj, bool preserve_id = true)
426         throw(FWException);
427     virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException);
428 };
429 
430 class RoutingRule : public Rule
431 {
432     public:
433 
434     typedef enum { Undefined,
435                    SinglePath,
436                    MultiPath }  RoutingRuleTypes;
437 
438     private:
439 
440     RoutingRuleTypes rule_type;
441     std::string sorted_dst_ids;
442     // int ecmp_id; // Unused
443 
444     public:
445 
446     RoutingRule();
447 
448     /**
449      * This method should create any standard mandatory child objects
450      * the object might need.
451      */
452     virtual void init(FWObjectDatabase *root);
453 
454     virtual void fromXML(xmlNodePtr parent) throw(FWException);
455     virtual xmlNodePtr toXML(xmlNodePtr parent) throw(FWException);
456 
457     DECLARE_FWOBJECT_SUBTYPE(RoutingRule);
458 
459     DECLARE_DISPATCH_METHODS(RoutingRule);
460 
461     virtual FWOptions* getOptionsObject() const;
462     virtual RuleSet* getBranch();
463     virtual bool isEmpty();
464 
465     int  getMetric() const;
466     void setMetric(int metric);
467     void setMetric(std::string metric);
468     std::string getMetricAsString() const;
469 
470     libfwbuilder::RuleElementRDst* getRDst() const;
471     libfwbuilder::RuleElementRGtw* getRGtw() const;
472     libfwbuilder::RuleElementRItf* getRItf() const;
473 
474     RoutingRuleTypes getRuleType() const;
475     std::string      getRuleTypeAsString() const;
476     void             setRuleType(RoutingRuleTypes rt);
477 
478     void        setSortedDstIds(const std::string& ids);
479     std::string getSortedDstIds() const;
480 
481     virtual FWObject& duplicate(const FWObject *obj, bool preserve_id = true)
482         throw(FWException);
483 };
484 
485 }
486 
487 #endif //__RULE_HH_FLAG__
488