1 /*
2 
3                           Firewall Builder
4 
5                  Copyright (C) 2009 NetCitadel, LLC
6 
7   Author:  Vadim Kurland     vadim@vk.crocodile.org
8 
9   $Id$
10 
11   This program is free software which we release under the GNU General Public
12   License. You may redistribute and/or modify this program under the terms
13   of that license as published by the Free Software Foundation; either
14   version 2 of the License, or (at your option) any later version.
15 
16   This program is distributed in the hope that it will be useful,
17   but WITHOUT ANY WARRANTY; without even the implied warranty of
18   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19   GNU General Public License for more details.
20 
21   To get a copy of the GNU General Public License, write to the Free Software
22   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
23 
24 */
25 
26 #ifndef __COMPILER_DRIVER_IPT_HH__
27 #define __COMPILER_DRIVER_IPT_HH__
28 
29 #include "../compiler_lib/CompilerDriver.h"
30 
31 #include "PolicyCompiler_ipt.h"
32 #include "OSConfigurator_linux24.h"
33 
34 #include <string>
35 #include <sstream>
36 #include <map>
37 #include <list>
38 
39 #include <QString>
40 #include <QMap>
41 
42 
43 namespace libfwbuilder
44 {
45     class FWObjectDatabase;
46     class Cluster;
47     class ClusterGroup;
48     class Firewall;
49     class RuleSet;
50     class Interface;
51     class Address;
52     class PolicyRule;
53 };
54 
55 namespace fwcompiler
56 {
57 
58     class CompilerDriver_ipt : public CompilerDriver
59     {
60 
61         // commands that pass control to branch chains should go into
62         // POSTROUTING or PREROUTING chains depending on the targets used
63         // inside the branch. Branches that use mixed rules (both SNAT
64         // and DNAT) will be split so that two separate chains are created, one
65         // for all SNAT rules and another for all DNAT rules. Rules in
66         // the top NAT ruleset that pass control to them will be placed into
67         // PREROUTING or POSTROUTING chain depending on the target in the branch.
68         // The following maps targets used in the branch to the ruleset name.
69         // By convention, the chain created for the branch rules will be named
70         // using combination of the ruleset name and word "PREROUTING"
71         // or "POSTROUTING"
72         std::map<std::string, std::list<std::string> > branch_ruleset_to_chain_mapping;
73 
74         std::auto_ptr<PolicyCompiler_ipt> createPolicyCompiler(
75             libfwbuilder::Firewall *fw,
76             bool ipv6_policy,
77             fwcompiler::OSConfigurator *_oscnf,
78             std::map<const std::string, bool> *m_n_commands_map);
79 
80         bool have_connmark;
81         bool have_connmark_in_output;
82 
83 public:
84 
85         CompilerDriver_ipt(libfwbuilder::FWObjectDatabase *db);
86         virtual ~CompilerDriver_ipt();
87 
88         // create a copy of itself, including objdb
89         virtual CompilerDriver* clone();
90 
91         virtual QString run(const std::string &cluster_id,
92                             const std::string &firewall_id,
93                             const std::string &single_rule_id);
94 
95         void assignRuleSetChain(libfwbuilder::RuleSet *ruleset);
96         void findBranchesInMangleTable(libfwbuilder::Firewall*,
97                                        std::list<libfwbuilder::FWObject*> &all_policies);
98 
99         std::string dumpScript(libfwbuilder::Firewall *fw,
100                                const std::string& automatic_rules_script,
101                                const std::string& automatic_mangle_script,
102                                const std::string& nat_script,
103                                const std::string& mangle_script,
104                                const std::string& filter_script,
105                                bool ipv6_policy);
106 
107         bool processPolicyRuleSet(
108             libfwbuilder::Firewall *fw,
109             libfwbuilder::FWObject *ruleset,
110             const std::string &single_rule_id,
111             std::ostringstream &filter_table_stream,
112             std::ostringstream &mangle_table_stream,
113             std::ostringstream &automatic_rules_stream,
114             std::ostringstream &automatic_mangle_stream,
115             fwcompiler::OSConfigurator_linux24 *oscnf,
116             int policy_af,
117             std::map<const std::string, bool> &minus_n_commands_filter,
118             std::map<const std::string, bool> &minus_n_commands_mangle);
119 
120         bool processNatRuleSet(
121             libfwbuilder::Firewall *fw,
122             libfwbuilder::FWObject *ruleset,
123             const std::string &single_rule_id,
124             std::ostringstream &nat_stream,
125             fwcompiler::OSConfigurator_linux24 *oscnf,
126             int policy_af,
127             std::map<const std::string, bool> &minus_n_commands_nat);
128 
129     };
130 };
131 
132 #endif
133