rule.java

sifi-0.1.6.tar.gz 出自http://www.ifi.unizh.ch/ikm/SINUS/firewall/ 一个linux的防火墙工具。

/* ----------------------------------------------------------------------
   The SINUS Firewall -- a TCP/IP packet filter for Linux

   Written within the SINUS project at the University of Zurich,
   SWITCH, Telekurs Payserv AG, ETH Zurich.
   originally based on the sf Firewall Software (C) 1996 by Robert
   Muchsel and Roland Schmid.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

   SINUS Firewall resources:
   SINUS Homepage: http://www.ifi.unizh.ch/ikm/SINUS/
   Firewall Homepage: http://www.ifi.unizh.ch/ikm/SINUS/firewall.html
   Frequently asked questions: http://www.ifi.unizh.ch/ikm/SINUS/sf_faq.html
   Mailing list for comments, questions, bug reports: firewall@ifi.unizh.ch
   ----------------------------------------------------------------------  */



package sfclasses;

import java.awt.*;
import java.awt.event.*;
import java.util.*;
import java.io.*;

/**
 * Filter configuration rule<br>
 * Objects of this class contain the complete information about one
 * filter rule. They are used to store the data for displaying the
 * active configuration of a firewall and to store the global configuration
 * data.
 * @version 1.0 03 Dec 1996
 * @author Roland E. Schmid
 */

public class Rule implements Persistent {

  /**
   * Initialize an empty rule object. This constructor is used by the
   * persistence methods.
   */
  public Rule() {
  }

  /**
   * Initialize the rule with data from a template. This is used for
   * autoconfiguration. 
   * @param oldrule Previously generated rule from same template or null.<br>
   * If oldrule is not null, the active, changed, and warn fields of the
   * new rule are initialized according to the old rule.
   * @param tID template ID
   * @param sID sub ID. More than one rule can be generated from a server
   * template. The sub ID is either 0 (for non-server templates) or
   * 2 * hierarchy level - 1 for server templates.
   */
  public Rule(Rule oldrule, int tID, int sID) {
    if (oldrule == null) {
      active = true;
      changed = false;
      warn = false;
    }
    else {
      active = oldrule.active;
      changed = false;
      warn = oldrule.changed | oldrule.warn;
    }
    if (tID < Templates.numberTotal) {
      templateID = tID;
      subID = sID;
      // fetch template data
      comment = Templates.comment[tID];
      priority = Templates.priority[tID];
      level_num = Templates.notification[tID];
      fw_src_idx = Templates.fw_src_idx[tID];
      fw_dst_idx = Templates.fw_dst_idx[tID];
      fw_src_cnt = 0;
      fw_dst_cnt = 0;
      timeout_type = SF_RULE_STATIC;
      fw_rc = Templates.fw_rc[tID];
      fw_flags = Templates.fw_flags[tID];
      ttl = Templates.ttl[tID];
      protocol = Templates.protocol[tID];
      fw_rip_idx = 0; // rip address templates not implemented
      fw_rip_cnt = 0;
    }
    else {
      System.out.println("Error: Template "+tID+" does not exist!");
      templateID = -1;
    }
  }

  /**
   * Bring up a dialog box for editing the rule.
   * @param parent Parent frame
   * @param mgDomain Manage domain object holding the global configuration data.
   * @param rp Calling frame that will be notified when the dialog closes
   * @param newRule If true the rule will be deleted from the rule vector
   * when the user selects cancel.
   */
  public void editDialog(Frame parent, ManageDomain mgDomain, Refreshable rp, boolean newRule) {
    RuleEditDialog ed = new RuleEditDialog(parent, this, mgDomain, rp, newRule);
    ed.setVisible(true);
  }

  /**
   * Return the text to be displayed for the rule in the rule panel.
   * @param column Number of the rule panel column.
   * @param firewall When displaying the active rules of a firewall, this
   * parameter contains the corresponding firewall, otherwise null.
   * @param mgDomain Manage domain object holding the global configuration data.
   * @return Array of strings for each line to display.
   */
  public String[] getString(int column, Host firewall, ManageDomain mgDomain) {
    stringCount = 0;
    switch (column) {
      case 0: // num column
        addString("Rule "); // add rule number later
        if (firewall != null) { // sfc show
          if (timeout_type == SF_RULE_STATIC)
            addString("static");
          else if (timeout_type == SF_TIMEOUT_VALID) {
            addString("dynamic");
            String tstr = timeout.toString();
            addString(tstr.substring(tstr.indexOf(':')-2,tstr.indexOf(':')+6));
          }
          else 
            addString("invalid");
        }
        else { // global rules
          if (templateID > -1) {
            addString("autoconf");
            if (changed)
              addString("changed");
            if (warn)
              addString("warn");
          }
          if (priority)
            addString("priority");
        }
        break;
      case 1: // action column
        switch (fw_rc) {
          case FW_ACCEPT:
            addString("accept");
            break;
          case SF_RC_OBSERVE:
            addString("observe");
            break;
          case FW_BLOCK:
            addString("block");
            break;
          case SF_RC_TREJECT:
            addString("reject");
            if (firewall == null) // rule editor
              addString(" with tcp reset");
            else // sfc show: tcp reset and best are synonymous
              addString(" with tcp rst / best");
            break;
          case SF_RC_BEST:
            addString("reject");
            addString(" with best");
          case SF_RC_ECHO:
            addString("reject");
            addString(" with echo reply");
            break;
          case SF_RC_RNET:
            addString("reject");
            addString(" with net unreachable");
            break;
          case FW_REJECT:
            addString("reject");
            addString(" with host unreachable");
            break;
          case SF_RC_RPROTO:
            addString("reject");
            addString(" with protocol unreachable");
            break;
          case SF_RC_RPORT:
            addString("reject");
            addString(" with port unreachable");
            break;
          default:
            addString("unknown");
            break;
        }
        break;
      case 2: // protocol column
        // IP options, ttl (show them in the protocol column as they are not used very often)
        if ((fw_flags & SF_FW_CHECK_OPT) != 0) {
          addString("IP options");
          if ((fw_flags & SF_FW_OPT_RR) != 0)
            addString(" Record route");
          if ((fw_flags & SF_FW_OPT_TS) != 0)
            addString(" Timestamp");
          if ((fw_flags & SF_FW_OPT_SEC) != 0)
            addString(" Security");
          if ((fw_flags & SF_FW_OPT_LSR) != 0)
            addString(" Loose source route");
          if ((fw_flags & SF_FW_OPT_SSR) != 0)
            addString(" Strict source route");
          if ((fw_flags & SF_FW_OPT_SATID) != 0)
            addString(" Sat ID");
        }
        if ((fw_flags & SF_FW_CHECK_TTL) != 0) {
          StringBuffer sb = new StringBuffer("IP: TTL ");
          switch (fw_flags & SF_FW_TTL) {
            case SF_FW_TTL_EQUAL:
              sb.append("=");
              break;
            case SF_FW_TTL_LESS:
              sb.append("<");
              break;
            case SF_FW_TTL_GREATER:
              sb.append(">");
              break;
            case SF_FW_TTL_NOTEQUAL:
              sb.append("!=");
              break;
          }
          sb.append(ttl);
          addString(sb.toString());
        }
        // protocol
        int protflags = fw_flags & SF_FW_PROT;
        if (protflags == SF_FW_PROT_ALL) {
          addString("all protocols");
        }
        else if (protflags == SF_FW_PROT_RIP) {
          addString("RIP");
          print_addr(fw_rip_idx, fw_rip_cnt, firewall, mgDomain);
        }
        else if (protflags == SF_FW_CHECK_PROTOCOL) {
          switch (protocol) {
            case IPPROTO_ICMP:
              addString("ICMP");
              if ((fw_flags & SF_TYPE_MASK) != SF_ICMP_ALLTYPES) {
                if ((fw_flags & SF_ICMP_ECHOREPLY) != 0)
                  addString(" echo reply");
                if ((fw_flags & SF_ICMP_DEST_UNREACH) != 0)
                  addString(" dest. unreachable");
                if ((fw_flags & SF_ICMP_SOURCE_QUENCH) != 0)
                  addString(" source quench");
                if ((fw_flags & SF_ICMP_REDIRECT) != 0)
                  addString(" redirect");
                if ((fw_flags & SF_ICMP_ECHO) != 0)
                  addString(" echo request");
                if ((fw_flags & SF_ICMP_TIME_EXCEEDED) != 0)
                  addString(" time exceeded");
                if ((fw_flags & SF_ICMP_PARAMETERPROB) != 0)
                  addString(" parameter problem");
                if ((fw_flags & SF_ICMP_TIMESTAMP) != 0)
                  addString(" timestamp request");
                if ((fw_flags & SF_ICMP_TIMESTAMPREPLY) != 0)
                  addString(" timestamp reply");
                if ((fw_flags & SF_ICMP_INFO_REQUEST) != 0)
                  addString(" information request");
                if ((fw_flags & SF_ICMP_INFO_REPLY) != 0)
                  addString(" information reply");
                if ((fw_flags & SF_ICMP_ADDRESS) != 0)
                  addString(" address mask request");
                if ((fw_flags & SF_ICMP_ADDRESSREPLY) != 0)
                  addString(" address mask reply");
              }
              break;
            case IPPROTO_IGMP:
              addString("IGMP");
              if ((fw_flags & SF_TYPE_MASK) != SF_IGMP_ALLTYPES) {
                if ((fw_flags & SF_IGMP_HOST_MEMBERSHIP_QUERY) != 0)
                  addString(" membership query");
                if ((fw_flags & SF_IGMP_HOST_MEMBERSHIP_REPORT) != 0)
                  addString(" membership report");
                if ((fw_flags & SF_IGMP_HOST_LEAVE_MESSAGE) != 0)
                  addString(" leave message");
              }
              break;
            case IPPROTO_TCP:
              addString("TCP");
              break;
            default:
              if (protocol <= MAX_PROTOCOL)
                addString(protocols[protocol]);
              else
                addString("Prot. "+Integer.toString(protocol));
              break;
          } // switch (protocol)
        }
        if ((protflags == SF_FW_PROT_ALL ||
            (protflags == SF_FW_CHECK_PROTOCOL && protocol == IPPROTO_TCP)) &&
            fw_rc == FW_ACCEPT) {
          if ((fw_flags & SF_FTP_NO_ACTIVE) != 0 && (fw_flags & SF_FTP_NO_PASSIVE) != 0)
            addString("no FTP data conn.");
          else if ((fw_flags & SF_FTP_NO_ACTIVE) != 0)
            addString("no FTP active mode");
          else if ((fw_flags & SF_FTP_NO_PASSIVE) != 0)
            addString("no FTP passive mode");
        }
        break;
      case 3: // from column
        print_addr(fw_src_idx, fw_src_cnt, firewall, mgDomain);
        break;
      case 4: // to column
        print_addr(fw_dst_idx, fw_dst_cnt, firewall, mgDomain);
        break;
      case 5: // notification column
        if (level_num == 0)
          addString("None");
        else {
          Notification n;
          if (mgDomain != null) 
            n = Notification.getLevel(level_num, mgDomain.NLevels);
          else
            n = null;
          if (n != null && n.levelName.length() > 0)
            addString(n.levelName);
          else
            addString("Level "+Integer.toString(level_num));
        }
        protflags = fw_flags & SF_FW_PROT;
        if ((protflags == SF_FW_PROT_ALL ||
            (protflags == SF_FW_CHECK_PROTOCOL && protocol == IPPROTO_TCP)) &&
            fw_rc == FW_ACCEPT) 
          if ((fw_flags & SF_FTP_DATA_LOG) != 0)
            addString("FTP data conn.");
        break;
      case 6: // usage or valid-for column
        if (firewall == null) { // 'valid for firewalls' column
          int validcnt = 0;
          int j;
          for (j=0; j < validFor.length; j++)
            if (validFor[j])
              validcnt++;
          try {
            if (validcnt == validFor.length)
              addString("All");
            else if (validcnt == 0)
              addString("None");
            else if (validcnt <= (validFor.length / 2)) {
              for (j=0; j < validFor.length; j++)
                if (validFor[j])
                  addString(((Host)mgDomain.Firewalls.elementAt(j)).objectID);
            }
            else {
              for (j=0; j < validFor.length; j++)
                if (!validFor[j])
                  addString("Not "+((Host)mgDomain.Firewalls.elementAt(j)).objectID);
            }