本文整理汇总了C++中PolicyRule::getRouting方法的典型用法代码示例。如果您正苦于以下问题:C++ PolicyRule::getRouting方法的具体用法?C++ PolicyRule::getRouting怎么用?C++ PolicyRule::getRouting使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类PolicyRule的用法示例。
在下文中一共展示了PolicyRule::getRouting方法的2个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: checkForShadowing
/*
* detects if tule r2 shades rule r1.
*/
bool PolicyCompiler::checkForShadowing(PolicyRule &r1, PolicyRule &r2)
{
RuleElement *srcrel1;
RuleElement *dstrel1;
RuleElement *srvrel1;
RuleElement *srcrel2;
RuleElement *dstrel2;
RuleElement *srvrel2;
FWObject::iterator i1 = r1.begin();
srcrel1 = RuleElement::cast(*i1);
i1++;
dstrel1 = RuleElement::cast(*i1);
i1++;
srvrel1 = RuleElement::cast(*i1);
i1 = r2.begin();
srcrel2 = RuleElement::cast(*i1);
i1++;
dstrel2 = RuleElement::cast(*i1);
i1++;
srvrel2 = RuleElement::cast(*i1);
if (srcrel1->getNeg()) return false;
if (dstrel1->getNeg()) return false;
if (srvrel1->getNeg()) return false;
if (srcrel2->getNeg()) return false;
if (dstrel2->getNeg()) return false;
if (srvrel2->getNeg()) return false;
/*
* TODO: actually, route rule may shadow other rules if it
* translates into "final" target, that is stops processing. This
* may or may not be so, depending on the platform and combination
* of rule options.
*/
if (r1.getRouting() || r2.getRouting()) return false;
PolicyRule::Action r1_action = r1.getAction();
PolicyRule::Action r2_action = r2.getAction();
if (r1_action==PolicyRule::Accounting ||
r2_action==PolicyRule::Accounting ) return false;
/*
* this is delicate case: negation. We consider r2 to "shade" r1
* only if r2 is above r1 in the policy; if r1 originally had
* negation and has been split, such as for example done in
* fwb_ipt, then some of the produced rules have action Return. If
* r2 has action != Return and r1 has action Return, we ignore r1.
*/
if (r1_action==PolicyRule::Return ||
r2_action==PolicyRule::Return ) return false;
/*
* the problem with branching rules is that it is combination of
* the head rule and rules in the branch rather than a single rule
* that can shadow other rules below them. Our current mechanism for
* shadowing detection does not support this so all we can do is
* skip rules with action Branch.
*/
if (r1_action==PolicyRule::Branch ||
r2_action==PolicyRule::Branch ) return false;
/*
* rules with action continue do not make final decision and
* therefore can not shadow other rules (but can be shadowed)
*/
if (/* r1_action==PolicyRule::Continue || */
r2_action==PolicyRule::Continue ) return false;
Address *src1;
Address *dst1;
Service *srv1;
Address *src2;
Address *dst2;
Service *srv2;
map<int, threeTuple*>::iterator it = rule_elements_cache.find(r1.getId());
if (it!=rule_elements_cache.end())
{
threeTuple *tt = it->second;
src1 = tt->src;
dst1 = tt->dst;
srv1 = tt->srv;
} else
{
src1 = Address::cast(FWReference::cast(srcrel1->front())->getPointer());
dst1 = Address::cast(FWReference::cast(dstrel1->front())->getPointer());
srv1 = Service::cast(FWReference::cast(srvrel1->front())->getPointer());
threeTuple *tt = new struct threeTuple;
tt->src = src1;
tt->dst = dst1;
tt->srv = srv1;
rule_elements_cache[r1.getId()] = tt;
//.........这里部分代码省略.........
示例2: getNext
bool MangleTableCompiler_ipt::keepMangleTableRules::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
FWOptions *ruleopt = rule->getOptionsObject();
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
string ruleset_name = compiler->getRuleSetName();
FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject();
if (rulesetopts->getBool("mangle_only_rule_set"))
tmp_queue.push_back(rule);
else
{
if (rule->getAction() == PolicyRule::Branch &&
ruleopt->getBool("ipt_branch_in_mangle"))
{
PolicyRule* r;
// this is a branching rule for mangle table. Need to put it
// into PREROUTING and POSTROUTING chains as well because some
// targets that work with mangle table can only go into these
// chains, yet we do not know what kind of rules will user
// place in the branch
if (rule->getDirection()==PolicyRule::Undefined ||
rule->getDirection()==PolicyRule::Both ||
rule->getDirection()==PolicyRule::Inbound)
{
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_chain","PREROUTING");
tmp_queue.push_back(r);
}
if (rule->getDirection()==PolicyRule::Undefined ||
rule->getDirection()==PolicyRule::Both ||
rule->getDirection()==PolicyRule::Outbound)
{
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_chain","POSTROUTING");
tmp_queue.push_back(r);
}
// ticket #1415 User reports that only packets that went
// through the FORWARD chain can match inbound "-i" and
// outbound "-o" interface at the same time. Since we do
// not allow both in and out interface matches in one rule
// and have to use branch to do this, need to branch in
// FORWARD chain as well so that inbound interface can be
// matched in the branching rule and outbound interface
// can be matched in a rule in the branch
//
// This is ugly, this means the branch will inspect the
// packet at least twice - in PREROUTING and FORWARD, or
// FORWARD and POSTROUTING chains.
//
// I mention above that some targets can only be used in
// PREROUTING or POSTROUTING chains. It would help if
// these tagrets worked in FORWARD chain, in that case we
// could just branch in FORWARD instead of all thress chains.
//
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_chain","FORWARD");
tmp_queue.push_back(r);
// tmp_queue.push_back(rule);
return true;
}
if (rule->getTagging() ||
rule->getRouting() ||
rule->getClassification() ||
ruleopt->getBool("put_in_mangle_table")) tmp_queue.push_back(rule);
}
return true;
}