
Firewall object: FW

'A','B' etc. means particular host or network.

'x'  means parameter has value which is to be preserved during 
     conversion

'-'  means parameter is unspecified (or in other words, has no value)

nil  "magic" value whose meaning depends on the field it is used for,
     but semantics is always the same - it means "nothing". Like
     for instance "no interface specified". 
     In our notation "nil" matches "x" and does not match "-".



Parameters "Chain" does not exist in the input data (first half
of translation table)




( single policy rule coming from gui, with groups, multiple objects in src,dst,srv etc ) ->
 Logging -> 
 InterfaceAndDir -> 
 checkSrcAndDst -> 
 ChainResolved -> 
 Negation -> 
 SrcAndDst -> 
 SpecialCases

#
# this predicate resolves negation. It is guaranteed that after this predicate
# there will be no negation in src,dst,srv fields
#     
Negation         -> processSrcNegation, processDstNegation, processSrvNegation;

#
# this predicate works on source and destination. It processes case when
# src or dst is "Any" and opens groups. This is at least partially 
# specific for iptables
#
SrcAndDst        -> substituteAny, openGroups;

# 
# this predicate processes interface and direction and guarantees
# that both fields will be defined somehow. Possible value may be
# "nil", which is magic word which will be interpreted accordingly by
# the predicate printing final iptables code
#
InterfaceAndDir  -> processIfaceAndDir1, processIfaceAndDir2, processIfaceAndDir3;

#
# this predicate decides on the chain for the final iptables code
#
ChainResolved    -> processRegularInput, processRegularOutput, processRegularForward;

#
# this predicate works on special cases. For now there is only one predicate
# for particular special case, but we'll add more later
#
SpecialCases     -> SpecialCaseWithFw1



#
# predicates to check data consistency 
#
checkSrcAndDst   -> checkSrcAndDst1, checkSrcAndDst2;


#
#  working predicates
#
substituteAny    -> substituteSrcAny, substituteDstAny;

#
#  Deal with logging. This predicate adds atomic rules needed for logging
#  We can forget about logging after this predicate and work with what it
#  produces
#
Predicate name:  Logging

Src    Dst     Srv       Iface     Dir    Chain     Log     Action(JumpTo)
----------------------------------------------------------------------------
x      x        x         x         x       -       True     Action    
============================================================================
 create new chain RULE_N			     	            
x      x        x         x         x       -       False    RULE_N
-      -        -         -         -     RULE_N    False    LOG
-      -        -         -         -     RULE_N    False    Action
----------------------------------------------------------------------------


#
#  Resolve negation (CHAIN should be defined by now). 
#
Predicate name:  processSrcNegation

Src    Dst     Srv       Iface     Dir       Chain     Log    Action(JumpTo)
----------------------------------------------------------------------------
!A     B       C          x         x          x        x    Action
============================================================================
create new temp. chain T_RULE_N
-      -       -          x         x          x        x     T_RULE_N
A      B       C          x         x       T_RULE_N    x     RETURN
any    B       C          x         x       T_RULE_N    x     Action
----------------------------------------------------------------------------


Predicate name: processDstNegation

Src    Dst     Srv       Iface     Dir       Chain     Log    Action(JumpTo)
----------------------------------------------------------------------------
A     !B       C          x         x          x        x     Action
============================================================================
create new temp. chain T_RULE_N
-      -       -          x         x          x        x     T_RULE_N
A      B       C          x         x       T_RULE_N    x     RETURN
A    any       C          x         x       T_RULE_N    x     Action
----------------------------------------------------------------------------


Predicate name: processSrvNegation

Src    Dst     Srv       Iface     Dir       Chain     Log    Action(JumpTo)
----------------------------------------------------------------------------
A      B      !C          x         x          x        x     Action
============================================================================
create new temp. chain T_RULE_N
-      -       -          x         x          x        x     T_RULE_N
A      B       C          x         x       T_RULE_N    x     RETURN
A      B     any          x         x       T_RULE_N    x     Action
----------------------------------------------------------------------------



			
#
#  Substitute "any"
#

PredicateName:  substituteDstAny

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
A      any      x         x         x          -
=====================================================
A      FW       x         x         x          -
A      any      x         x         x          -
-----------------------------------------------------
			
			
Predicate name:  substituteSrcAny

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
any     A       x         x         x          -
=====================================================
FW      A       x         x         x          -
any     A       x         x         x          -
-----------------------------------------------------



#
#  Open groups
#

Predicate name:  openGroups

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
A      C       E          x         x          -
B      D       F          x         x          -
=====================================================
A      C       E          x         x          -
B      C       E          x         x          -
A      D       E          x         x          -
B      D       E          x         x          -
A      C       F          x         x          -
B      C       F          x         x          -
A      D       F          x         x          -
B      D       F          x         x          -
-----------------------------------------------------

#
#  Deal with directions and decide on the Chain
#

Predicate Name: processIfaceAndDir1

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
x       x       x         -         x          -
=====================================================
ERROR (directon specified without interface)
-----------------------------------------------------



Predicate Name: processIfaceAndDir2

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
x       x       x         x         -          -
=====================================================
x       x       x         x        Both        -
-----------------------------------------------------
			
			
Predicate Name: processIfaceAndDir3

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
x       x       x         -         -          -
=====================================================
x       x       x         nil       Both       -
-----------------------------------------------------
			

			
Predicate Name: checkSrcAndDst1

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
!FW    FW       x         x         Out        -
===============================================================
ERROR (direction=Outbound, destination=Firewall, source!=Firewall)
---------------------------------------------------------------




Predicate Name: checkSrcAndDst2

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
FW     !FW      x         x         In         -
===============================================================
ERROR (direction=Inbound, source=Firewall, destination!=Firewall)
---------------------------------------------------------------


Predicate Name: SpecialCaseWithFw1

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
FW     FW       x         x         x          -
=====================================================
FW     nil      x         x         In        INPUT
nil    FW       x         x         Out       OUTPUT
-----------------------------------------------------
			
			
Predicate Name: processRegularInput

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
A      FW       x         x         x          -
=====================================================
A      nil      x         x         In       INPUT
-----------------------------------------------------
			
			
Predicate Name: processRegularOutput

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
FW     A        x         x         x          -
=====================================================
nil    A        x         x         Out      OUTPUT
-----------------------------------------------------
			
			
Predicate Name: processRegularForward

Src    Dst     Srv       Iface     Dir       Chain
-----------------------------------------------------
A      B        x         x         x          -
=====================================================
A      B        x         x         x        FORWARD
-----------------------------------------------------





#
#  Examples of final code generation (couple cases for directions
#  and interfaces)
#
Src    Dst     Srv       Iface     Dir       Chain   JumpTo
---------------------------------------------------------------
A      B        x         iface     In       CHAIN    ACTION   
===============================================================
iptables -A CHAIN A B -i iface -j ACTION
---------------------------------------------------------------


Src    Dst     Srv       Iface     Dir       Chain   JumpTo
---------------------------------------------------------------
A      B        x         nil       In       CHAIN    ACTION   
===============================================================
iptables -A CHAIN A B -i -j ACTION
---------------------------------------------------------------


Src    Dst     Srv       Iface     Dir       Chain   JumpTo
---------------------------------------------------------------
A      B        x         iface     Out      CHAIN    ACTION   
===============================================================
iptables -A CHAIN A B -o iface -j ACTION
---------------------------------------------------------------


Src    Dst     Srv       Iface     Dir       Chain   JumpTo
---------------------------------------------------------------
A      B        x         nil       Out      CHAIN    ACTION   
===============================================================
iptables -A CHAIN A B -o -j ACTION
---------------------------------------------------------------







Src    Dst     Srv      Action     Iface     Dir       Chain
---------------------------------------------------------------
A      FW       x        x          x         In          -
===============================================================
