ips_policy.back(), network_policy.back());
}
+std::shared_ptr<PolicyTuple> PolicyMap::get_policies(Shell* sh)
+{
+ const auto& pt = shell_map.find(sh);
+
+ return pt == shell_map.end() ? nullptr:pt->second;
+}
+
//-------------------------------------------------------------------------
// policy nav
//-------------------------------------------------------------------------
{ return s_detection_policy; }
InspectionPolicy* get_default_inspection_policy(SnortConfig* sc)
-{ return sc->policy_map->inspection_policy[0]; }
+{ return sc->policy_map->get_inspection_policy(0); }
void set_network_policy(NetworkPolicy* p)
{ s_traffic_policy = p; }
{
PolicyMap* pm = sc->policy_map;
- if ( i < pm->network_policy.size() )
- set_network_policy(pm->network_policy[i]);
+ if ( i < pm->network_policy_count() )
+ set_network_policy(pm->get_network_policy(i));
}
void set_inspection_policy(InspectionPolicy* p)
{
PolicyMap* pm = sc->policy_map;
- if ( i < pm->inspection_policy.size() )
- set_inspection_policy(pm->inspection_policy[i]);
+ if ( i < pm->inspection_policy_count() )
+ set_inspection_policy(pm->get_inspection_policy(i));
}
void set_ips_policy(IpsPolicy* p)
{
PolicyMap* pm = sc->policy_map;
- if ( i < pm->ips_policy.size() )
- set_ips_policy(pm->ips_policy[i]);
+ if ( i < pm->ips_policy_count() )
+ set_ips_policy(pm->get_ips_policy(i));
}
void set_policies(SnortConfig* sc, Shell* sh)
{
- auto policies = sc->policy_map->shell_map[sh];
+ auto policies = sc->policy_map->get_policies(sh);
if ( policies->inspection )
set_inspection_policy(policies->inspection);
void set_default_policy(SnortConfig* sc)
{
- set_network_policy(sc->policy_map->network_policy[0]);
- set_inspection_policy(sc->policy_map->inspection_policy[0]);
- set_ips_policy(sc->policy_map->ips_policy[0]);
+ set_network_policy(sc->policy_map->get_network_policy(0));
+ set_inspection_policy(sc->policy_map->get_inspection_policy(0));
+ set_ips_policy(sc->policy_map->get_ips_policy(0));
}
void set_default_policy()
unsigned add_ips_shell(Shell*);
unsigned add_network_shell(Shell*);
std::shared_ptr<PolicyTuple> add_shell(Shell*);
+ std::shared_ptr<PolicyTuple> get_policies(Shell* sh);
void clone(PolicyMap *old_map);
Shell* get_shell(unsigned i = 0)
IpsPolicy* get_user_ips(unsigned user_id)
{ return user_ips[user_id]; }
-public: // FIXIT-M make impl private
+ InspectionPolicy* get_inspection_policy(unsigned i = 0)
+ { return i < inspection_policy.size() ? inspection_policy[i] : nullptr; }
+
+ IpsPolicy* get_ips_policy(unsigned i = 0)
+ { return i < ips_policy.size() ? ips_policy[i] : nullptr; }
+
+ NetworkPolicy* get_network_policy(unsigned i = 0)
+ { return i < network_policy.size() ? network_policy[i] : nullptr; }
+
+ unsigned inspection_policy_count()
+ { return inspection_policy.size(); }
+
+ unsigned ips_policy_count()
+ { return ips_policy.size(); }
+
+ unsigned network_policy_count()
+ { return network_policy.size(); }
+
+ void set_cloned(bool state)
+ { cloned = state; }
+
+private:
std::vector<Shell*> shells;
std::vector<InspectionPolicy*> inspection_policy;
std::vector<IpsPolicy*> ips_policy;
std::vector<NetworkPolicy*> network_policy;
std::unordered_map<Shell*, std::shared_ptr<PolicyTuple>> shell_map;
+ std::unordered_map<unsigned, InspectionPolicy*> user_inspection;
+ std::unordered_map<unsigned, IpsPolicy*> user_ips;
bool cloned = false;
-private:
- std::unordered_map<unsigned, InspectionPolicy*> user_inspection;
- std::unordered_map<unsigned, IpsPolicy*> user_ips;
};
//-------------------------------------------------------------------------
//set_*_policy can set to null. this is used
//to tell which pieces to pick from sub policy
- auto pt = sc->policy_map->shell_map.find(this);
- if ( pt == sc->policy_map->shell_map.end() )
+ auto pt = sc->policy_map->get_policies(this);
+ if ( pt.get() == nullptr )
set_default_policy(sc);
else
{
- set_inspection_policy(pt->second->inspection);
- set_ips_policy(pt->second->ips);
- set_network_policy(pt->second->network);
+ set_inspection_policy(pt->inspection);
+ set_ips_policy(pt->ips);
+ set_network_policy(pt->network);
}
const char* base_name = push_relative_path(file.c_str());
static void init_policies(SnortConfig* sc)
{
- for ( auto p : sc->policy_map->ips_policy )
- p->policy_mode = init_policy_mode(p->policy_mode);
+ IpsPolicy* ips_policy = nullptr;
+ InspectionPolicy* inspection_policy = nullptr;
- for ( auto p : sc->policy_map->inspection_policy )
- p->policy_mode = init_policy_mode(p->policy_mode);
+ for ( unsigned idx = 0; idx < sc->policy_map->ips_policy_count(); ++idx )
+ {
+ ips_policy = sc->policy_map->get_ips_policy(idx);
+ ips_policy->policy_mode = init_policy_mode(ips_policy->policy_mode);
+ }
+
+ for ( unsigned idx = 0; idx < sc->policy_map->inspection_policy_count(); ++idx )
+ {
+ inspection_policy = sc->policy_map->get_inspection_policy(idx);
+ inspection_policy->policy_mode = init_policy_mode(inspection_policy->policy_mode);
+ }
}
//-------------------------------------------------------------------------
policy_map = new PolicyMap(other_conf->policy_map);
}
- set_inspection_policy(get_inspection_policy());
- set_ips_policy(get_ips_policy());
- set_network_policy(get_network_policy());
+ set_inspection_policy(policy_map->get_inspection_policy());
+ set_ips_policy(policy_map->get_ips_policy());
+ set_network_policy(policy_map->get_network_policy());
}
SnortConfig::~SnortConfig()
{
if ( cloned )
{
- policy_map->cloned = true;
+ policy_map->set_cloned(true);
delete policy_map;
return;
}
/* Merge checksum flags. If command line modified them, use from the
* command line, else just use from config_file. */
- int cl_chk = cmd_line->get_network_policy()->checksum_eval;
- int cl_drop = cmd_line->get_network_policy()->checksum_drop;
+ int cl_chk = cmd_line->policy_map->get_network_policy()->checksum_eval;
+ int cl_drop = cmd_line->policy_map->get_network_policy()->checksum_drop;
+
+ NetworkPolicy* nw_policy = nullptr;
- for ( auto p : policy_map->network_policy )
+ for ( unsigned idx = 0; idx < policy_map->network_policy_count(); ++idx )
{
+ nw_policy = policy_map->get_network_policy(idx);
+
if ( !(cl_chk & CHECKSUM_FLAG__DEF) )
- p->checksum_eval = cl_chk;
+ nw_policy->checksum_eval = cl_chk;
if ( !(cl_drop & CHECKSUM_FLAG__DEF) )
- p->checksum_drop = cl_drop;
+ nw_policy->checksum_drop = cl_drop;
}
/* FIXIT-L do these belong in network policy? */
bool cloned = false;
//------------------------------------------------------
- // policy access
- InspectionPolicy* get_inspection_policy()
- { return policy_map->inspection_policy[0]; }
-
- IpsPolicy* get_ips_policy()
- { return policy_map->ips_policy[0]; }
-
- NetworkPolicy* get_network_policy()
- { return policy_map->network_policy[0]; }
-
// decoding related
uint8_t get_num_layers() const
{ return num_layers; }
void InspectorManager::update_policy(SnortConfig* sc)
{
- if ( !sc->policy_map->inspection_policy.empty() )
- {
- InspectionPolicy* pi = sc->policy_map->inspection_policy[0];
- for ( auto* p : pi->framework_policy->ilist )
- p->set_reloaded(RELOAD_TYPE_NONE);
- }
+ InspectionPolicy* pi = sc->policy_map->get_inspection_policy();
+ for ( auto* p : pi->framework_policy->ilist )
+ p->set_reloaded(RELOAD_TYPE_NONE);
}
// FIXIT-M create a separate list for meta handlers? is there really more than one?
void InspectorManager::dispatch_meta(FrameworkPolicy* fp, int type, const uint8_t* data)
bool InspectorManager::delete_inspector(SnortConfig* sc, const char* iname)
{
bool ok = false;
- if ( !sc->policy_map->inspection_policy.empty() )
- {
- FrameworkPolicy* fp = sc->policy_map->inspection_policy[0]->framework_policy;
- std::vector<PHInstance*>::iterator old_it;
+ FrameworkPolicy* fp = sc->policy_map->get_inspection_policy()->framework_policy;
+ std::vector<PHInstance*>::iterator old_it;
- if ( get_instance(fp, iname, false, old_it) )
+ if ( get_instance(fp, iname, false, old_it) )
+ {
+ (*old_it)->set_reloaded(RELOAD_TYPE_DELETED);
+ fp->ilist.erase(old_it);
+ ok = true;
+ std::vector<PHInstance*>::iterator bind_it;
+ if ( get_instance(fp, "binder", false, bind_it) )
{
- (*old_it)->set_reloaded(RELOAD_TYPE_DELETED);
- fp->ilist.erase(old_it);
- ok = true;
- std::vector<PHInstance*>::iterator bind_it;
- if ( get_instance(fp, "binder", false, bind_it) )
- {
- (*bind_it)->handler->update(sc, iname);
- }
+ (*bind_it)->handler->update(sc, iname);
}
}
}
bool ok = true;
- for ( unsigned idx = 0; idx < sc->policy_map->inspection_policy.size(); ++idx )
+ for ( unsigned idx = 0; idx < sc->policy_map->inspection_policy_count(); ++idx )
{
if ( cloned and idx )
break;
set_inspection_policy(sc, idx);
- InspectionPolicy* p = sc->policy_map->inspection_policy[idx];
+ InspectionPolicy* p = sc->policy_map->get_inspection_policy(idx);
p->configure();
ok = ::configure(sc, p->framework_policy, cloned) && ok;
}
void ParseRules(SnortConfig* sc)
{
- for ( unsigned idx = 0; idx < sc->policy_map->ips_policy.size(); ++idx )
+ for ( unsigned idx = 0; idx < sc->policy_map->ips_policy_count(); ++idx )
{
set_ips_policy(sc, idx);
- IpsPolicy* p = sc->policy_map->ips_policy[idx];
+ IpsPolicy* p = sc->policy_map->get_ips_policy(idx);
if ( p->enable_builtin_rules )
ModuleManager::load_rules(sc);
projects / thirdparty / snort3.git / commitdiff
