"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "go/pkg/pass1/nat.go" between
Netspoc-6.025.tar.gz and Netspoc-6.026.tar.gz

About: NetSPoC is a network security policy compiler (using its own description language) to manage all the packet filter devices inside your network topology.

nat.go  (Netspoc-6.025):nat.go  (Netspoc-6.026)
skipping to change at line 272 skipping to change at line 272
} }
//############################################################################# //#############################################################################
// Purpose : Divide topology into NAT domains. // Purpose : Divide topology into NAT domains.
// Networks and NAT domain limiting routers keep references // Networks and NAT domain limiting routers keep references
// to their domains. // to their domains.
// Results : domain has lists of its zones and limiting routers, // Results : domain has lists of its zones and limiting routers,
// routers that are domain limiting, contain references to the // routers that are domain limiting, contain references to the
// limited domains and store NAT tags bound to domains border // limited domains and store NAT tags bound to domains border
// interfaces. // interfaces.
// Returns nil on error.
func (c *spoc) findNatDomains() []*natDomain { func (c *spoc) findNatDomains() []*natDomain {
type key struct { type key struct {
router *router router *router
natList1 string natList1 string
natList2 string natList2 string
} }
natErrSeen := make(map[key]bool) natErrSeen := make(map[key]bool)
// Perform depth first search to collect zones and limiting // Perform depth first search to collect zones and limiting
skipping to change at line 417 skipping to change at line 418
} }
name := "nat_domain:" + strings.SplitN(z.name, ":", 2)[1] name := "nat_domain:" + strings.SplitN(z.name, ":", 2)[1]
natSet := make(map[string]bool) natSet := make(map[string]bool)
d := &natDomain{ d := &natDomain{
name: name, name: name,
natSet: &natSet, natSet: &natSet,
} }
result = append(result, d) result = append(result, d)
setNatDomain(z, d, nil) setNatDomain(z, d, nil)
} }
if len(natErrSeen) > 0 {
return nil
}
return result return result
} }
//############################################################################# //#############################################################################
// Purpose : Show interfaces, where bind_nat for NAT tag is missing. // Purpose : Show interfaces, where bind_nat for NAT tag is missing.
func (c *spoc) errMissingBindNat( func (c *spoc) errMissingBindNat(
inRouter *router, d *natDomain, tag string, multinatMaps []natMap) { inRouter *router, d *natDomain, tag string, multinatMaps []natMap) {
// Collect interfaces where bind_nat for natTag is applied correctly. // Collect interfaces where bind_nat for natTag is applied correctly.
// First, add interface between inRouter and d. // First, add interface between inRouter and d.
skipping to change at line 897 skipping to change at line 901
} }
sort.Strings(messages) sort.Strings(messages)
for _, m := range messages { for _, m := range messages {
c.err(m) c.err(m)
} }
} }
} }
} }
} }
// Check if a single NAT tag is bound to all interfaces of a router.
// A similar check for equalty of all tags has already been performed in
// findNatDomains.
func (c *spoc) CheckUselessBindNat(doms []*natDomain) {
seen := make(map[*router]bool)
for _, d := range doms {
for _, r := range d.routers {
if seen[r] {
continue
}
seen[r] = true
intersect := make(map[string]bool)
tags := r.natTags[d]
for _, t := range tags {
intersect[t] = true
}
for d2, tags := range r.natTags {
if d2 == d {
continue
}
intersect2 := make(map[string]bool)
for _, t := range tags {
if intersect[t] {
intersect2[t] = true
}
}
intersect = intersect2
if len(intersect) == 0 {
break
}
}
if len(intersect) > 0 {
fullTags := make(stringList, 0, len(intersect))
for t := range intersect {
fullTags.push("nat:" + t)
}
sort.Strings(fullTags)
list := strings.Join(fullTags, ",")
c.warn("Ignoring %s without effect, bound at ever
y interface of %s",
list, r)
}
}
}
}
//############################################################################ //############################################################################
// Purpose: Check compatibility of host/interface and network NAT. // Purpose: Check compatibility of host/interface and network NAT.
// Comment: A NAT definition for a single host/interface is only allowed, // Comment: A NAT definition for a single host/interface is only allowed,
// if network has a dynamic NAT definition. // if network has a dynamic NAT definition.
func (c *spoc) checkNatCompatibility() { func (c *spoc) checkNatCompatibility() {
for _, n := range c.allNetworks { for _, n := range c.allNetworks {
check := func(obj netObj) { check := func(obj netObj) {
nat := obj.nat nat := obj.nat
if nat == nil { if nat == nil {
return return
skipping to change at line 945 skipping to change at line 994
} }
//############################################################################ //############################################################################
// Purpose: Find interface with dynamic NAT which is bound at the same // Purpose: Find interface with dynamic NAT which is bound at the same
// device. This is invalid for device with "need_protect". // device. This is invalid for device with "need_protect".
// Comment: "need_protect" devices use NetSPoC generated ACLs to manage access // Comment: "need_protect" devices use NetSPoC generated ACLs to manage access
// to their interfaces. To ensure safety, the devices interfaces // to their interfaces. To ensure safety, the devices interfaces
// need to have a fixed address. // need to have a fixed address.
func (c *spoc) checkInterfacesWithDynamicNat() { func (c *spoc) checkInterfacesWithDynamicNat() {
for _, n := range c.allNetworks { for _, n := range c.allNetworks {
var tags stringList
for tag, _ := range n.nat { for tag, _ := range n.nat {
tags.push(tag)
}
sort.Strings(tags)
for _, tag := range tags {
info := n.nat[tag] info := n.nat[tag]
if !info.dynamic || (info.identity || info.hidden) { if !info.dynamic || info.identity || info.hidden {
continue continue
} }
for _, intf := range n.interfaces { for _, intf := range n.interfaces {
intfNat := intf.nat intfNat := intf.nat
// Interface has static translation, // Interface has static translation,
if intfNat != nil && intfNat[tag] != nil { if intfNat[tag] != nil {
continue continue
} }
r := intf.router r := intf.router
if !r.needProtect { if !r.needProtect {
continue continue
} }
for _, bindIntf := range r.interfaces { for _, bindIntf := range r.interfaces {
for _, tag2 := range bindIntf.bindNat { for _, tag2 := range bindIntf.bindNat {
if tag2 == tag { if tag2 == tag {
skipping to change at line 1032 skipping to change at line 1076
c.progress("Distributing NAT") c.progress("Distributing NAT")
natType := c.getLookupMapForNatType() natType := c.getLookupMapForNatType()
c.checkNatDefinitions(natType) c.checkNatDefinitions(natType)
natdomains := c.findNatDomains() natdomains := c.findNatDomains()
multi := c.generateMultinatDefLookup(natType) multi := c.generateMultinatDefLookup(natType)
natErrors := c.distributeNatTagsToNatDomains(multi, natdomains) natErrors := c.distributeNatTagsToNatDomains(multi, natdomains)
c.checkMultinatErrors(multi, natdomains) c.checkMultinatErrors(multi, natdomains)
if !natErrors { if !natErrors {
c.checkNatNetworkLocation(natdomains) c.checkNatNetworkLocation(natdomains)
c.CheckUselessBindNat(natdomains)
} }
c.checkNatCompatibility() c.checkNatCompatibility()
c.checkInterfacesWithDynamicNat() c.checkInterfacesWithDynamicNat()
distributeNatSetsToInterfaces(natdomains) distributeNatSetsToInterfaces(natdomains)
return natdomains, natType, multi return natdomains, natType, multi
} }
// Combine different natSets into a single natSet in a way // Combine different natSets into a single natSet in a way
// that NAT mapping remains mostly identical. // that NAT mapping remains mostly identical.
 End of changes. 8 change blocks. 
7 lines changed or deleted 53 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)