"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "go/pkg/pass1/group-path-rules.go" between
Netspoc-6.026.tar.gz and Netspoc-6.027.tar.gz

About: NetSPoC is a network security policy compiler (using its own description language) to manage all the packet filter devices inside your network topology.

group-path-rules.go  (Netspoc-6.026):group-path-rules.go  (Netspoc-6.027)
package pass1 package pass1
import ( import (
"bytes"
"fmt" "fmt"
"github.com/hknutzen/Netspoc/go/pkg/conf" "github.com/hknutzen/Netspoc/go/pkg/conf"
"net" "inet.af/netaddr"
"sort" "sort"
"strings" "strings"
) )
type objPair [2]someObj type objPair [2]someObj
// nextIP decrements the given net.IP by one bit.
func prevIP(ip net.IP) net.IP {
prev := make(net.IP, len(ip))
copy(prev, ip)
for i := len(prev) - 1; i >= 0; i-- {
prev[i]--
// Only subtract from the next byte if we overflowed.
if ip[i] != 0xff {
break
}
}
return prev
}
// This handles a rule between objects inside a single security zone or // This handles a rule between objects inside a single security zone or
// between interfaces of a single managed router. // between interfaces of a single managed router.
// Show warning or error message if rule is between // Show warning or error message if rule is between
// - different interfaces or // - different interfaces or
// - different networks or // - different networks or
// - subnets/hosts of different networks. // - subnets/hosts of different networks.
// Rules between identical objects are silently ignored. // Rules between identical objects are silently ignored.
// But a message is shown if a service only has rules between identical objects. // But a message is shown if a service only has rules between identical objects.
func collectUnenforceable(rule *groupedRule) { func collectUnenforceable(rule *groupedRule) {
service := rule.rule.service service := rule.rule.service
skipping to change at line 59 skipping to change at line 44
case *subnet: case *subnet:
if d, ok := dst.(*subnet); ok { if d, ok := dst.(*subnet); ok {
// For rules with different subne ts of a single // For rules with different subne ts of a single
// network we don't know if the s ubnets have been // network we don't know if the s ubnets have been
// split from a single range. // split from a single range.
// E.g. range 1-4 becomes four su bnets 1,2-3,4 // E.g. range 1-4 becomes four su bnets 1,2-3,4
// For most splits the resulting subnets would be // For most splits the resulting subnets would be
// adjacent. Hence we check for a djacency. // adjacent. Hence we check for a djacency.
if s.network == d.network { if s.network == d.network {
var n net.IPNet var n netaddr.IPPrefix
var next net.IP var next netaddr.IP
if bytes.Compare(s.ip, d. if s.ipp.IP.Less(d.ipp.IP
ip) == -1 { ) {
n.IP = s.ip n = s.ipp
n.Mask = s.mask next = d.ipp.IP
next = d.ip
} else { } else {
n.IP = d.ip n = d.ipp
n.Mask = d.mask next = s.ipp.IP
next = s.ip
} }
if n.Contains(prevIP(next )) { if n.Contains(next.Prior( )) {
continue continue
} }
} }
} }
case *network: case *network:
if s.isAggregate { if s.isAggregate {
size, _ := s.mask.Size() if s.ipp.Bits == 0 {
if size == 0 {
// This is a common case, which results from // This is a common case, which results from
// rules like user -> any :[user] // rules like user -> any :[user]
continue continue
} }
if d, ok := dst.(*network); ok { if d, ok := dst.(*network); ok {
// Different aggregates w ith identical IP, // Different aggregates w ith identical IP,
// inside a zone cluster must be considered as equal. // inside a zone cluster must be considered as equal.
if d.isAggregate && if d.isAggregate &&
s.ip.Equal(d.ip) s.ipp == d.ipp {
&&
net.IP(s.mask).Eq
ual(net.IP(d.mask)) {
continue continue
} }
} }
} }
} }
if d, ok := dst.(*network); ok { if d, ok := dst.(*network); ok {
if d.isAggregate { if d.isAggregate {
size, _ := d.mask.Size() if d.ipp.Bits == 0 {
if size == 0 {
continue continue
} }
} }
} }
} }
if service.seenUnenforceable == nil { if service.seenUnenforceable == nil {
service.seenUnenforceable = make(map[objPair]bool ) service.seenUnenforceable = make(map[objPair]bool )
} }
service.seenUnenforceable[objPair{src, dst}] = true service.seenUnenforceable[objPair{src, dst}] = true
} }
 End of changes. 9 change blocks. 
35 lines changed or deleted 13 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)