Build results of 1645b26 (on master)

hknutzen · Nov 23, 2015 · 697188d · 697188d
1 parent 1f801aa
commit 697188d
Show file tree

Hide file tree

Showing 59 changed files with 25,182 additions and 1,549 deletions.
diff --git a/Changes b/Changes
@@ -1,3 +1,14 @@
+4.6       2015-11-23 13:55:13+01:00 Europe/Berlin
+
+ - Overlapping IP address ranges of hosts must have identical owner now.
+ - Protocol modifiers src_any, dst_any are no longer supported.
+ - Routes for ID-hosts (i.e. VPN software clients) are 
+   no longer combined at VPN hub.
+ - Fixed small bug in remove-from-netspoc. 
+   It ignores start of group definition in comments now.
+ - Significant runtime and memory improvement by finding grouped rules 
+   directly from rules of services.
+
 4.5       2015-11-03 16:48:57+01:00 Europe/Berlin
 
  - Routes to adjacent networks are combined now, 

diff --git a/MANIFEST b/MANIFEST
@@ -19,6 +19,33 @@ bin/rename-netspoc
 bin/spoc1
 bin/spoc2
 bin/watchers-to-json
+cover_db/cover.14
+cover_db/cover.css
+cover_db/coverage.html
+cover_db/digests
+cover_db/lib-Netspoc-Compiler-Common-pm--branch.html
+cover_db/lib-Netspoc-Compiler-Common-pm--subroutine.html
+cover_db/lib-Netspoc-Compiler-Common-pm.html
+cover_db/lib-Netspoc-Compiler-File-pm--branch.html
+cover_db/lib-Netspoc-Compiler-File-pm--subroutine.html
+cover_db/lib-Netspoc-Compiler-File-pm.html
+cover_db/lib-Netspoc-Compiler-GetArgs-pm--branch.html
+cover_db/lib-Netspoc-Compiler-GetArgs-pm--condition.html
+cover_db/lib-Netspoc-Compiler-GetArgs-pm--subroutine.html
+cover_db/lib-Netspoc-Compiler-GetArgs-pm.html
+cover_db/lib-Netspoc-Compiler-Pass1-pm--branch.html
+cover_db/lib-Netspoc-Compiler-Pass1-pm--condition.html
+cover_db/lib-Netspoc-Compiler-Pass1-pm--subroutine.html
+cover_db/lib-Netspoc-Compiler-Pass1-pm.html
+cover_db/lib-Netspoc-Compiler-Pass2-pm--branch.html
+cover_db/lib-Netspoc-Compiler-Pass2-pm--condition.html
+cover_db/lib-Netspoc-Compiler-Pass2-pm--subroutine.html
+cover_db/lib-Netspoc-Compiler-Pass2-pm.html
+cover_db/structure/0fd257552ab83c238a3d4cb511ca2e7c
+cover_db/structure/56719d18f559be0a20390b058362b7ad
+cover_db/structure/5bfaf7d355b1928b6610dcedc36f6ee2
+cover_db/structure/a7e69414a956a1f9dad54ae09fab2017
+cover_db/structure/db11e75337b73f337b6bac7b70e917e1
 cvs-support/Makefile
 cvs-support/append-commitlog.c
 cvs-support/cvs-SETXID_SUPPORT.patch

diff --git a/META.yml b/META.yml
@@ -33,4 +33,4 @@ requires:
   strict: '0'
   utf8: '0'
   warnings: '0'
-version: '4.5'
+version: '4.6'
diff --git a/Makefile.PL b/Makefile.PL
@@ -56,7 +56,7 @@ my %WriteMakefileArgs = (
     "Test::More" => 0,
     "lib" => 0
   },
-  "VERSION" => "4.5",
+  "VERSION" => "4.6",
   "test" => {
     "TESTS" => "t/*.t"
   }

diff --git a/README b/README
@@ -1,7 +1,7 @@
 
 
 This archive contains the distribution Netspoc,
-version 4.5:
+version 4.6:
 
   Generates rules for many firewalls from a central ruleset.
 

diff --git a/bin/add-to-netspoc b/bin/add-to-netspoc
@@ -80,7 +80,7 @@ use Getopt::Long;
 use Pod::Usage;
 use Encode;
 
-our $VERSION = '4.5'; # VERSION: inserted by DZP::OurPkgVersion
+our $VERSION = '4.6'; # VERSION: inserted by DZP::OurPkgVersion
 my $filename_encode = 'UTF-8';
 
 my $ignore_files = '^(raw|config|CVS|RCS|\.#.*|.*~)$';

diff --git a/bin/cut-netspoc b/bin/cut-netspoc
@@ -63,7 +63,7 @@ use Netspoc::Compiler::Common;
 use Netspoc::Compiler::Pass1;
 use Encode qw(decode_utf8);
 
-our $VERSION = '4.5'; # VERSION: inserted by DZP::OurPkgVersion
+our $VERSION = '4.6'; # VERSION: inserted by DZP::OurPkgVersion
 
 ####################################################################
 # Argument processing
@@ -197,7 +197,7 @@ sub mark_topology {
 sub path_unmanaged {
     my ($obj, $in_interface) = @_;
     return 1 if $obj->{is_used};
-    return if $obj->{managed};
+    return if $obj->{managed} || $obj->{semi_managed};
     return if $obj->{active_path};
 
     local $obj->{active_path} = 1;
@@ -221,7 +221,7 @@ sub mark_unmanaged {
 #        debug "Path unmanaged $network->{name}";
 	for my $interface (@{ $network->{interfaces} }) {
 	    my $router = $interface->{router};
-#	    debug "Path unmanaged $router->{name} $interface->{name}";
+#	    debug "Try $router->{name} $interface->{name}";
 	    if (path_unmanaged($router, $interface)) {
                 $interface->{is_used} = 1;
 #                debug "Marked $interface->{name}";
@@ -301,7 +301,8 @@ if (@ARGV) {
 &setpath();
 find_subnets_in_zone();
 link_reroute_permit();
-&expand_services(1);
+normalize_services();
+expand_services();
 
 # Process rules of services.
 sub process_rules {
@@ -318,7 +319,7 @@ sub process_rules {
 #		    debug "Used $obj->{name}";
 		    $obj->{is_used} = 1;
 		}
-		elsif ($type eq 'Subnet') {
+		elsif ($type eq 'Host') {
 		    $obj->{is_used} = 1;
 #		    debug "Used $obj->{name}";
 		    $obj->{network}->{is_used} = 1;
@@ -423,6 +424,7 @@ mark_unmanaged();
 
 # Mark bridge and bridged networks.
 for my $network (values %networks) {
+    $network->{is_used} or next;
     $network->{bridged} or next;
     for my $bridge_in (@{ $network->{interfaces} }) {
         $bridge_in->{ip} eq 'bridged' or next;
@@ -500,6 +502,12 @@ for my $router (values %routers) {
         if (my $crypto_list = $interface->{hub}) {
             $mark_crypto->($_) for @$crypto_list;
         }
+
+        # Mark networks referenced by interfaces 
+        # implictly marked by expand_group.
+        if ($interface->{is_used}) {
+            $interface->{network}->{is_used} = 1;
+        }
     }
 
     # Remove unused hosts referenced in attribute radius_servers.
@@ -525,20 +533,12 @@ for my $network (values %networks) {
     # Retain at least one host of network with ID hosts.
     if ($network->{has_id_hosts}) {
         if (not grep { $_->{is_used} } @$hosts) {
-            $hosts->[0]->{subnets}->[0]->{is_used} = 1;
+            $hosts->[0]->{is_used} = 1;
         }
     }
 
-  HOST:
     for my $host (@$hosts) {
-        for my $subnet (@{ $host->{subnets} }) {
-            my $up = $subnet;
-            while ($up and is_subnet($up)) {
-                next HOST if $up->{is_used};
-                $up = $up->{up};
-            }
-        }
-
+        next if $host->{is_used};
         my $name = $host->{name};
 
         # Remove trailing network name of ID-host.

diff --git a/bin/export-netspoc b/bin/export-netspoc
@@ -444,8 +444,7 @@ sub setup_service_info {
         next if $service->{disabled};
         my $sname = $service->{name};
 
-        my $users = $service->{expanded_user} =
-            expand_group($service->{user}, "user of $sname");
+        my $users = $service->{expanded_user} = $service->{user};
 
         # Non 'user' objects.
         my @objects;
@@ -1053,6 +1052,8 @@ set_zone();
 distribute_nat_info();
 setpath();
 find_subnets_in_zone();
+propagate_owners();
+normalize_services();
 set_service_owner();
 find_subnets_in_nat_domain();
 setup_zones();

diff --git a/bin/print-group b/bin/print-group
@@ -86,7 +86,7 @@ use Netspoc::Compiler::Pass1;
 use Getopt::Long;
 use Pod::Usage;
 
-our $VERSION = '4.5'; # VERSION: inserted by DZP::OurPkgVersion
+our $VERSION = '4.6'; # VERSION: inserted by DZP::OurPkgVersion
 
 # Take higher bits from network NAT, lower bits from original IP.
 # This works with and without NAT.
@@ -223,7 +223,6 @@ while (1) {
 &distribute_nat_info();
 &setpath();
 find_subnets_in_zone();
-convert_hosts();
 if ($show_owner) {
     propagate_owners();
 }
@@ -238,31 +237,24 @@ if($nat_net) {
 }
 
 # Expand group definition(s).
-my $elements = 
-    expand_group_in_rule(\@parsed, 'print-group', 0);
+my $elements = expand_group_in_rule(\@parsed, 'print-group');
 
 # Find unused objects by marking used objects.
 if ($show_unused) {
-    &order_protocols();
-    &expand_services(0);
-    &abort_on_error();
-    for my $type ('deny', 'permit') {
-	for my $rule (@{ $expanded_rules{$type} }) {
-	    for my $where ('src', 'dst') {
-		my $obj = $rule->{$where};
-		if (is_host $obj) {
-		    for my $subnet (@{ $obj->{subnets} }) {
-			$subnet->{is_used} = 1;
-		    }
-                    $obj->{network}->{is_used} = 1;
-		}
-                elsif (is_interface $obj) {
-		    $obj->{is_used} = 1;
-                    $obj->{network}->{is_used} = 1;
-                }                    
-		else {
-		    $obj->{is_used} = 1;
-		}
+    order_protocols();
+    normalize_services();
+    abort_on_error();
+    for my $action (qw(permit deny)) {
+        my $rules = $service_rules{$action} or next;
+        for my $rule (@$rules) {
+            for my $what (qw(src dst)) {
+                my $group = $rule->{$what};
+                for my $obj (@$group) {
+                    $obj->{is_used} = 1;
+                    if (is_host($obj) or is_interface($obj)) {
+                        $obj->{network}->{is_used} = 1;
+                    }
+                }
 	    }
 	}
     }

diff --git a/bin/print-service b/bin/print-service
@@ -71,7 +71,7 @@ use Netspoc::Compiler::Pass1;
 use Getopt::Long;
 use Pod::Usage;
 
-our $VERSION = '4.5'; # VERSION: inserted by DZP::OurPkgVersion
+our $VERSION = '4.6'; # VERSION: inserted by DZP::OurPkgVersion
 
 ####################################################################
 # Argument processing
@@ -178,7 +178,9 @@ if($nat_net) {
 # Expand services
 my %service2rules;
 &order_protocols();
-&expand_services(1);
+normalize_services();
+convert_hosts_in_rules();
+expand_services();
 &abort_on_error();
 for my $type ('deny', 'permit') {
     for my $rule (@{ $expanded_rules{$type} }) {

diff --git a/bin/remove-from-netspoc b/bin/remove-from-netspoc
@@ -78,7 +78,7 @@ use Getopt::Long;
 use Pod::Usage;
 use Encode;
 
-our $VERSION = '4.5'; # VERSION: inserted by DZP::OurPkgVersion
+our $VERSION = '4.6'; # VERSION: inserted by DZP::OurPkgVersion
 my $filename_encode = 'UTF-8';
 
 my $ignore_files = '^(raw|config|CVS|RCS|\.#.*|.*~)$';
@@ -211,11 +211,21 @@ sub process {
                     $in_list = undef;
                 }
             }
+
+            # Ignore comment.
+            elsif ($line =~ /\G (\s* [#] .*) /gcx) {
+                $copy .= $1;
+                last TOKEN;
+            }
+
+            # Find equal sign.
             elsif ($search_eq and $line =~ /\G (\s*=\s*) /gcsx) {
                 $copy .= $1;
                 $in_list = 1;
                 $search_eq = 0;
             }
+
+            # Find start of group.
             elsif ($line =~ /\G (.*?) (src | dst | user | group:[-\w]+) /gcx) {
                 $copy .= "$1$2";
                 $search_eq = 1;

diff --git a/bin/rename-netspoc b/bin/rename-netspoc
@@ -84,7 +84,7 @@ use Getopt::Long;
 use Pod::Usage;
 use Encode;
 
-our $VERSION = '4.5'; # VERSION: inserted by DZP::OurPkgVersion
+our $VERSION = '4.6'; # VERSION: inserted by DZP::OurPkgVersion
 my $filename_encode = 'UTF-8';
 
 my $ignore_files = '^(raw|config|CVS|RCS|\.#.*|.*~)$';

diff --git a/bin/spoc1 b/bin/spoc1
@@ -46,7 +46,7 @@ use strict;
 use warnings;
 use Netspoc::Compiler::Pass1;
 
-our $VERSION = '4.5'; # VERSION: inserted by DZP::OurPkgVersion
+our $VERSION = '4.6'; # VERSION: inserted by DZP::OurPkgVersion
 my $version = __PACKAGE__->VERSION || 'devel';
 
 Netspoc::Compiler::Pass1::compile(\@ARGV);
diff --git a/bin/spoc2 b/bin/spoc2
@@ -52,7 +52,7 @@ use strict;
 use warnings;
 use Netspoc::Compiler::Pass2;
 
-our $VERSION = '4.5'; # VERSION: inserted by DZP::OurPkgVersion
+our $VERSION = '4.6'; # VERSION: inserted by DZP::OurPkgVersion
 my $program = 'Netspoc';
 my $version = __PACKAGE__->VERSION || 'devel';
 

diff --git a/bin/watchers-to-json b/bin/watchers-to-json
@@ -14,7 +14,7 @@ use utf8;
 use Encode;
 use File::Path qw(make_path);
 use JSON;
-our $VERSION = '4.5'; # VERSION: inserted by DZP::OurPkgVersion
+our $VERSION = '4.6'; # VERSION: inserted by DZP::OurPkgVersion
 my $filename_encode = 'UTF-8';
 
 my $ignore_files = '^(raw|config|JSON|CVS|RCS|\.#.*|.*~)$';

diff --git a/cover_db/cover.14 b/cover_db/cover.14