[fwbuilder-commits] [SCM] Firewall Builder GUI and Policy Compilers Open Source Code branch, develo
Brought to you by:
mikehorn
From: <gi...@ir...> - 2011-01-12 23:15:38
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "Firewall Builder GUI and Policy Compilers Open Source Code". The branch, development has been updated via 77ae2185f21c91c7193afa5989d73d5f05723c24 (commit) from a3d7e3d89b322698106868c0fefd89ff40be99ef (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 77ae2185f21c91c7193afa5989d73d5f05723c24 Author: Vadim Kurland <va...@ne...> Date: Wed Jan 12 15:03:57 2011 -0800 refs #1908 "ASA NAT - cannot configure static NAT translations with (inside,outside)". Added radio buttons diff --git a/doc/ChangeLog b/doc/ChangeLog index 0dfa70e..ca28917 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -3,17 +3,16 @@ * NATCompiler_asa8_writers.cpp (printSDNAT): refs #1908 "ASA NAT - cannot configure static NAT translations with (inside,outside)". Added NAT rule option to make source nat rules "static". The - option is presented to the user as a checkbox in a NAT rule - options dialog which is only enabled when platform is "pix" and - version >= 8.3. Policy compiler generates "twice nat" rules with - keyword "static" in the following cases: when TSrc is "original", - so the rule translates destination and not source or when numbers - of ip addresses represented by OSrc and TSrc are equal. If TSrc is - not "original" and represents different number of ip addresses - than OSrc, compiler looks at the new rule option. If the checkbox - is turned off, then it generates "twice nat" rule with option - "dynamic". If the checkbox is turned on, then it generates the - rule with option "static". + option is presented to the user as three radio buttons in the NAT + rule options dialog which is only enabled when platform is "pix" + and version >= 8.3. Policy compiler generates "twice nat" rules + with keyword "static" in the following cases: when TSrc is + "original", so the rule translates destination and not source or + when numbers of ip addresses represented by OSrc and TSrc are + equal. If TSrc is not "original" and represents different number + of ip addresses than OSrc, compiler looks at the new rule + option. User can use or override automatic algorithm using radio + buttons in the NAT rule options dialog. * NATCompiler_asa8_writers.cpp (printSDNAT): refs #1902 "Add NAT rule option "translate dns" for PIX". The option is only available diff --git a/src/cisco_lib/ASA8TwiceNatLogic.cpp b/src/cisco_lib/ASA8TwiceNatLogic.cpp index da9eb73..7e0bbc2 100644 --- a/src/cisco_lib/ASA8TwiceNatLogic.cpp +++ b/src/cisco_lib/ASA8TwiceNatLogic.cpp @@ -26,6 +26,8 @@ #include "fwbuilder/RuleElement.h" #include "fwbuilder/FWOptions.h" +#include <QtDebug> + using namespace libfwbuilder; using namespace std; @@ -36,19 +38,17 @@ ASA8TwiceNatStaticLogic::ASA8TwiceNatStaticLogic(NATRule *_rule) rule = _rule; } -bool ASA8TwiceNatStaticLogic::isStatic() +ASA8TwiceNatStaticLogic::TwiceNatRuleType ASA8TwiceNatStaticLogic::getAutomaticType() { RuleElementOSrc *osrc_re = rule->getOSrc(); assert(osrc_re!=NULL); Address *osrc = Address::cast(FWReference::getObject(osrc_re->front())); - RuleElementOSrc *tsrc_re = rule->getOSrc(); + RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re!=NULL); Address *tsrc = Address::cast(FWReference::getObject(tsrc_re->front())); - FWOptions *ropt = rule->getOptionsObject(); - - if (tsrc->isAny()) return true; + if (tsrc->isAny()) return STATIC; else { /* @@ -56,12 +56,20 @@ bool ASA8TwiceNatStaticLogic::isStatic() * that in TSrc, then use "static". Otherwise use "dynamic". However if * rule option "asa8_nat_static" is true, use "static". */ - if (osrc->dimension() == tsrc->dimension()) return true; - else - { - if (ropt->getBool("asa8_nat_static")) return true; - else return false; - } + if (osrc->dimension() == tsrc->dimension()) return STATIC; + else return DYNAMIC; } - return false; + return DYNAMIC; } + +ASA8TwiceNatStaticLogic::TwiceNatRuleType ASA8TwiceNatStaticLogic::getType() +{ + TwiceNatRuleType res = getAutomaticType(); + FWOptions *ropt = rule->getOptionsObject(); + + if (ropt->getBool("asa8_nat_dynamic")) res = DYNAMIC; + if (ropt->getBool("asa8_nat_static")) res = STATIC; + + return res; +} + diff --git a/src/cisco_lib/ASA8TwiceNatLogic.h b/src/cisco_lib/ASA8TwiceNatLogic.h index f95fe9e..2374647 100644 --- a/src/cisco_lib/ASA8TwiceNatLogic.h +++ b/src/cisco_lib/ASA8TwiceNatLogic.h @@ -30,12 +30,14 @@ class ASA8TwiceNatStaticLogic { libfwbuilder::NATRule *rule; - + public: + enum TwiceNatRuleType {STATIC, DYNAMIC}; ASA8TwiceNatStaticLogic(libfwbuilder::NATRule *rule); - bool isStatic(); - + + TwiceNatRuleType getAutomaticType(); + TwiceNatRuleType getType(); }; #endif diff --git a/src/cisco_lib/NATCompiler_asa8_writers.cpp b/src/cisco_lib/NATCompiler_asa8_writers.cpp index 235b141..5b88919 100644 --- a/src/cisco_lib/NATCompiler_asa8_writers.cpp +++ b/src/cisco_lib/NATCompiler_asa8_writers.cpp @@ -206,8 +206,15 @@ void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule) cmd << "source"; - if (ASA8TwiceNatStaticLogic(rule).isStatic()) cmd << "static"; - else cmd << "ddynamic"; + switch (ASA8TwiceNatStaticLogic(rule).getType()) + { + case ASA8TwiceNatStaticLogic::STATIC: + cmd << "static"; + break; + case ASA8TwiceNatStaticLogic::DYNAMIC: + cmd << "dynamic"; + break; + } cmd << pix_comp->getASA8Object(osrc)->getCommandWord(); if (tsrc->isAny()) diff --git a/src/libgui/NATRuleOptionsDialog.cpp b/src/libgui/NATRuleOptionsDialog.cpp index 9aff42c..28ff259 100644 --- a/src/libgui/NATRuleOptionsDialog.cpp +++ b/src/libgui/NATRuleOptionsDialog.cpp @@ -38,6 +38,8 @@ #include "fwbuilder/FWOptions.h" #include "fwbuilder/Resources.h" +#include "../cisco_lib/ASA8TwiceNatLogic.h" + #include <memory> #include <qpushbutton.h> @@ -103,18 +105,21 @@ void NATRuleOptionsDialog::loadFWObject(FWObject *o) { data.registerOption(m_dialog->ipt_use_snat_instead_of_masq, ropt, "ipt_use_snat_instead_of_masq"); - data.registerOption(m_dialog->ipt_nat_random, ropt, "ipt_nat_random"); - data.registerOption(m_dialog->ipt_nat_persistent,ropt,"ipt_nat_persistent"); + data.registerOption(m_dialog->ipt_nat_random, ropt, + "ipt_nat_random"); + data.registerOption(m_dialog->ipt_nat_persistent, ropt, + "ipt_nat_persistent"); } if (platform=="pf") { - data.registerOption(m_dialog->pf_pool_type_none, ropt, "pf_pool_type_none"); - data.registerOption(m_dialog->pf_bitmask , ropt, "pf_bitmask" ); - data.registerOption(m_dialog->pf_random , ropt, "pf_random" ); - data.registerOption(m_dialog->pf_source_hash , ropt, "pf_source_hash" ); - data.registerOption(m_dialog->pf_round_robin , ropt, "pf_round_robin" ); - data.registerOption(m_dialog->pf_static_port , ropt, "pf_static_port" ); + data.registerOption(m_dialog->pf_pool_type_none, ropt, + "pf_pool_type_none"); + data.registerOption(m_dialog->pf_bitmask, ropt, "pf_bitmask"); + data.registerOption(m_dialog->pf_random, ropt, "pf_random"); + data.registerOption(m_dialog->pf_source_hash, ropt, "pf_source_hash"); + data.registerOption(m_dialog->pf_round_robin, ropt, "pf_round_robin"); + data.registerOption(m_dialog->pf_static_port, ropt, "pf_static_port"); } if (platform=="pix" || platform=="fwsm") @@ -122,12 +127,54 @@ void NATRuleOptionsDialog::loadFWObject(FWObject *o) if (libfwbuilder::XMLTools::version_compare(version,"8.3")>=0) { m_dialog->asa8_nat_dns->setEnabled(true); + m_dialog->asa8_nat_auto->setEnabled(true); + m_dialog->asa8_nat_dynamic->setEnabled(true); m_dialog->asa8_nat_static->setEnabled(true); - data.registerOption(m_dialog->asa8_nat_dns, ropt, "asa8_nat_dns"); - data.registerOption(m_dialog->asa8_nat_static, ropt, "asa8_nat_static"); + + data.registerOption(m_dialog->asa8_nat_dns, ropt, + "asa8_nat_dns"); + + NATRule *nat_rule = NATRule::cast(rule); + ASA8TwiceNatStaticLogic twice_nat_logic(nat_rule); + + // set asa8_nat_auto to True if none of these are set yet + if (!ropt->getBool("asa8_nat_dynamic") && + !ropt->getBool("asa8_nat_static")) + { + ropt->setBool("asa8_nat_auto", true); + } + + data.registerOption(m_dialog->asa8_nat_auto, ropt, + "asa8_nat_auto"); + data.registerOption(m_dialog->asa8_nat_dynamic, ropt, + "asa8_nat_dynamic"); + data.registerOption(m_dialog->asa8_nat_static, ropt, + "asa8_nat_static"); + + // update text label of radio button asa8_nat_auto + QString rule_state_auto; + + switch (twice_nat_logic.getAutomaticType()) + { + case ASA8TwiceNatStaticLogic::STATIC: + rule_state_auto = "static"; + break; + case ASA8TwiceNatStaticLogic::DYNAMIC: + rule_state_auto = "dynamic"; + break; + } + + QString button_txt = tr( + "Automatically detect NAT type \"static\" or \"dynamic\". " + "This rule is currently set to type \"%1\""); + + m_dialog->asa8_nat_auto->setText(button_txt.arg(rule_state_auto)); + } else { m_dialog->asa8_nat_dns->setEnabled(false); + m_dialog->asa8_nat_auto->setEnabled(false); + m_dialog->asa8_nat_dynamic->setEnabled(false); m_dialog->asa8_nat_static->setEnabled(false); } } @@ -140,13 +187,14 @@ void NATRuleOptionsDialog::loadFWObject(FWObject *o) void NATRuleOptionsDialog::validate(bool *res) { - *res=true; + *res = true; } void NATRuleOptionsDialog::applyChanges() { + std::auto_ptr<FWCmdRuleChange> cmd( + new FWCmdRuleChangeOptions(m_project, obj)); - std::auto_ptr<FWCmdRuleChange> cmd( new FWCmdRuleChangeOptions(m_project, obj)); // new_state is a copy of the rule object FWObject* new_state = cmd->getNewState(); FWOptions* new_rule_options = Rule::cast(new_state)->getOptionsObject(); diff --git a/src/libgui/natruleoptionsdialog_q.ui b/src/libgui/natruleoptionsdialog_q.ui index d41f57d..e81e0e9 100644 --- a/src/libgui/natruleoptionsdialog_q.ui +++ b/src/libgui/natruleoptionsdialog_q.ui @@ -284,17 +284,11 @@ </layout> </widget> <widget class="QWidget" name="ASA8NATRuleOptions"> - <layout class="QGridLayout" name="gridLayout_3"> - <property name="margin"> - <number>12</number> - </property> - <property name="spacing"> - <number>12</number> - </property> + <layout class="QGridLayout" name="gridLayout_4"> <item row="0" column="0"> <widget class="QLabel" name="label_2"> <property name="text"> - <string>Need nice long explanation of the meaning of the "static" option below</string> + <string>Starting with v8.3 ASAs support NAT type "static" and "dynamic" for source NAT rules. Firewall Builder attempts to determine the correct type based on the information in the rule, but the calculated value can be overridden below.</string> </property> <property name="wordWrap"> <bool>true</bool> @@ -302,20 +296,53 @@ </widget> </item> <item row="1" column="0"> - <widget class="QCheckBox" name="asa8_nat_static"> - <property name="text"> - <string>Build "static" twice-nat rule</string> + <widget class="QGroupBox" name="groupBox"> + <property name="title"> + <string/> </property> + <property name="flat"> + <bool>true</bool> + </property> + <layout class="QGridLayout" name="gridLayout_3"> + <item row="0" column="0"> + <widget class="QRadioButton" name="asa8_nat_auto"> + <property name="text"> + <string>Automatically detect NAT type "static" or "dynamic". This rule is currently set to type "%1"</string> + </property> + </widget> + </item> + <item row="1" column="0"> + <widget class="QRadioButton" name="asa8_nat_dynamic"> + <property name="text"> + <string>Force rule to be NAT type "dynamic". Note, rules with destination translation defined cannot be "dynamic"</string> + </property> + </widget> + </item> + <item row="2" column="0"> + <widget class="QRadioButton" name="asa8_nat_static"> + <property name="text"> + <string>Force rule to be NAT type "static".</string> + </property> + </widget> + </item> + </layout> </widget> </item> <item row="2" column="0"> + <widget class="Line" name="line"> + <property name="orientation"> + <enum>Qt::Horizontal</enum> + </property> + </widget> + </item> + <item row="3" column="0"> <widget class="QCheckBox" name="asa8_nat_dns"> <property name="text"> <string>Make this NAT rule translate DNS replies. You also need to enable DNS inspection in the firewall object advanced settings dialog.</string> </property> </widget> </item> - <item row="3" column="0"> + <item row="4" column="0"> <spacer name="verticalSpacer_3"> <property name="orientation"> <enum>Qt::Vertical</enum> @@ -497,14 +524,46 @@ </hints> </connection> <connection> + <sender>asa8_nat_auto</sender> + <signal>toggled(bool)</signal> + <receiver>NATRuleOptionsDialog_q</receiver> + <slot>changed()</slot> + <hints> + <hint type="sourcelabel"> + <x>470</x> + <y>64</y> + </hint> + <hint type="destinationlabel"> + <x>470</x> + <y>172</y> + </hint> + </hints> + </connection> + <connection> + <sender>asa8_nat_dynamic</sender> + <signal>toggled(bool)</signal> + <receiver>NATRuleOptionsDialog_q</receiver> + <slot>changed()</slot> + <hints> + <hint type="sourcelabel"> + <x>470</x> + <y>93</y> + </hint> + <hint type="destinationlabel"> + <x>470</x> + <y>172</y> + </hint> + </hints> + </connection> + <connection> <sender>asa8_nat_static</sender> - <signal>stateChanged(int)</signal> + <signal>toggled(bool)</signal> <receiver>NATRuleOptionsDialog_q</receiver> <slot>changed()</slot> <hints> <hint type="sourcelabel"> <x>470</x> - <y>60</y> + <y>122</y> </hint> <hint type="destinationlabel"> <x>470</x> diff --git a/src/libgui/platforms.cpp b/src/libgui/platforms.cpp index 5b930b9..02675d2 100644 --- a/src/libgui/platforms.cpp +++ b/src/libgui/platforms.cpp @@ -364,7 +364,9 @@ bool isDefaultNATRuleOptions(FWOptions *opt) if (platform=="pix" || platform=="fwsm") { res = (! opt->getBool("asa8_nat_dns") && - ! opt->getBool("asa8_nat_static")); + ! opt->getBool("asa8_nat_static") && + ! opt->getBool("asa8_nat_dynamic")); + } } return res; diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 80028a6..94f461e 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:41 2011 PST by vadim +! Generated Wed Jan 12 15:01:11 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index 35b2b02..b1f09ec 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:41 2011 PST by vadim +! Generated Wed Jan 12 15:01:11 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index 070c116..56d8b6b 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:41 2011 PST by vadim +! Generated Wed Jan 12 15:01:10 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 8127927..30317df 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:41 2011 PST by vadim +! Generated Wed Jan 12 15:01:10 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index b5d1631..d362644 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:16 2011 PST by vadim +! Generated Wed Jan 12 15:00:37 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index e17df7b..b2ee955 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:17 2011 PST by vadim +! Generated Wed Jan 12 15:00:38 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index 4e7f77d..2ca266b 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:18 2011 PST by vadim +! Generated Wed Jan 12 15:00:39 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index 9822e9f..e716014 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:18 2011 PST by vadim +! Generated Wed Jan 12 15:00:40 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 62992c2..daa3301 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:19 2011 PST by vadim +! Generated Wed Jan 12 15:00:41 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index e771b4d..d3b8778 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:20 2011 PST by vadim +! Generated Wed Jan 12 15:00:42 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 97bb6a4..7ddf4ad 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:20 2011 PST by vadim +! Generated Wed Jan 12 15:00:43 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 582efd2..d39834d 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:21 2011 PST by vadim +! Generated Wed Jan 12 15:00:44 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index 2c9d5c6..61a4110 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:22 2011 PST by vadim +! Generated Wed Jan 12 15:00:45 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 4265518..46cf835 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:23 2011 PST by vadim +! Generated Wed Jan 12 15:00:47 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 32f15b2..35f73b9 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:22 2011 PST by vadim +! Generated Wed Jan 12 15:00:46 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index 612914c..311c5b6 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:24 2011 PST by vadim +! Generated Wed Jan 12 15:00:48 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index 7af445c..2c3cf56 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:25 2011 PST by vadim +! Generated Wed Jan 12 15:00:49 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index db21f21..0d0bf05 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:26 2011 PST by vadim +! Generated Wed Jan 12 15:00:50 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index 2b1f9d7..b40053d 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:27 2011 PST by vadim +! Generated Wed Jan 12 15:00:51 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index eb8589d..0fb2f8a 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:27 2011 PST by vadim +! Generated Wed Jan 12 15:00:52 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index 2ec678a..5028851 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:28 2011 PST by vadim +! Generated Wed Jan 12 15:00:53 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 5cdf3f7..eacca79 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:29 2011 PST by vadim +! Generated Wed Jan 12 15:00:54 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index 87538c1..d672cd4 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:30 2011 PST by vadim +! Generated Wed Jan 12 15:00:55 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 6e7bc40..0086d05 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:31 2011 PST by vadim +! Generated Wed Jan 12 15:00:56 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index f15f6f3..da1b4d4 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:31 2011 PST by vadim +! Generated Wed Jan 12 15:00:57 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 8504fbb..33e5ada 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:32 2011 PST by vadim +! Generated Wed Jan 12 15:00:58 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 4ea2beb..bed8256 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:33 2011 PST by vadim +! Generated Wed Jan 12 15:00:59 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index c842c6e..40330be 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:33 2011 PST by vadim +! Generated Wed Jan 12 15:01:00 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index 20bed87..f73db85 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:34 2011 PST by vadim +! Generated Wed Jan 12 15:01:01 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -94,7 +94,7 @@ clear config object-group clear config icmp clear config telnet ! -! Rule 0 (global) +! Rule 1 (global) access-list inside_acl_in deny ip any any access-list outside_acl_in deny ip any any @@ -145,6 +145,9 @@ quit object network external_gw2 host 22.22.22.100 quit +object service squid + service tcp destination eq 3128 +quit ! ! Rule 0 (NAT) nat (inside,outside) source dynamic Internal_net interface service http http @@ -222,6 +225,9 @@ nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:i ! for #1908 ! "static" vs "dynamic" nat (inside,outside) source static internal_subnet_1 firewall90:FastEthernet1:ip-1 +! +! Rule 17 (NAT) +nat (outside,inside) source static any any destination static interface hostA:eth0 service http squid diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 39e479d..693cdb2 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:35 2011 PST by vadim +! Generated Wed Jan 12 15:01:02 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index c2287da..cec8876 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:35 2011 PST by vadim +! Generated Wed Jan 12 15:01:03 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index 44d898d..da40851 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:36 2011 PST by vadim +! Generated Wed Jan 12 15:01:04 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index f68afad..5e3c3c1 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:37 2011 PST by vadim +! Generated Wed Jan 12 15:01:05 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index 4436d07..560c265 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -18228,7 +18228,7 @@ no sysopt nodnsalias outbound <Option name="xlate_ss">0</Option> </FirewallOptions> </Firewall> - <Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294851771" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands SNAT rules " ro="False"> + <Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294873229" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands SNAT rules " ro="False"> <NAT id="id19920X26146" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <NATRule id="id19921X26146" disabled="False" position="0" action="Translate" comment=""> <OSrc neg="False"> @@ -18503,6 +18503,7 @@ no sysopt nodnsalias outbound <ServiceRef ref="sysid1"/> </TSrv> <NATRuleOptions> + <Option name="asa8_nat_auto">True</Option> <Option name="asa8_nat_dns">True</Option> <Option name="color">#8BC065</Option> </NATRuleOptions> @@ -18527,6 +18528,10 @@ no sysopt nodnsalias outbound <ServiceRef ref="sysid1"/> </TSrv> <NATRuleOptions> + <Option name="asa8_nat_auto">True</Option> + <Option name="asa8_nat_dns">False</Option> + <Option name="asa8_nat_dynamic">False</Option> + <Option name="asa8_nat_static">False</Option> <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> @@ -18550,6 +18555,10 @@ no sysopt nodnsalias outbound <ServiceRef ref="sysid1"/> </TSrv> <NATRuleOptions> + <Option name="asa8_nat_auto">True</Option> + <Option name="asa8_nat_dns">False</Option> + <Option name="asa8_nat_dynamic">False</Option> + <Option name="asa8_nat_static">False</Option> <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> @@ -18573,6 +18582,10 @@ no sysopt nodnsalias outbound <ServiceRef ref="sysid1"/> </TSrv> <NATRuleOptions> + <Option name="asa8_nat_auto">True</Option> + <Option name="asa8_nat_dns">False</Option> + <Option name="asa8_nat_dynamic">False</Option> + <Option name="asa8_nat_static">False</Option> <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> @@ -18596,6 +18609,7 @@ no sysopt nodnsalias outbound <ServiceRef ref="sysid1"/> </TSrv> <NATRuleOptions> + <Option name="asa8_nat_auto">True</Option> <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> @@ -18619,15 +18633,44 @@ no sysopt nodnsalias outbound <ServiceRef ref="sysid1"/> </TSrv> <NATRuleOptions> + <Option name="asa8_nat_auto">False</Option> <Option name="asa8_nat_dns">False</Option> + <Option name="asa8_nat_dynamic">False</Option> <Option name="asa8_nat_static">True</Option> <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> + <NATRule id="id301880X21607" disabled="False" group="" position="17" action="Translate" comment=""> + <OSrc neg="False"> + <ObjectRef ref="sysid0"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="id20111X3981"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="tcp-HTTP"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="sysid0"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="host-hostA"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="id3B4FF09A"/> + </TSrv> + <NATRuleOptions> + <Option name="asa8_nat_auto">True</Option> + <Option name="asa8_nat_dns">False</Option> + <Option name="asa8_nat_dynamic">False</Option> + <Option name="asa8_nat_static">False</Option> + <Option name="color">#7694C0</Option> + </NATRuleOptions> + </NATRule> <RuleSetOptions/> </NAT> <Policy id="id19857X26146" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> - <PolicyRule id="id78630X30274" disabled="False" group="" log="False" position="0" action="Deny" direction="Both" comment=""> + <PolicyRule id="id78630X30274" disabled="True" group="" log="False" position="0" action="Deny" direction="Both" comment=""> <Src neg="False"> <ObjectRef ref="id3FA34EFA"/> <ObjectRef ref="id68966X11724"/> diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index e2f1b60..09cdc41 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:38 2011 PST by vadim +! Generated Wed Jan 12 15:01:07 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 2b8a77b..b23f9d6 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3429 +! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Tue Jan 11 18:31:39 2011 PST by vadim +! Generated Wed Jan 12 15:01:08 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ----------------------------------------------------------------------- Summary of changes: doc/ChangeLog | 21 +++---- src/cisco_lib/ASA8TwiceNatLogic.cpp | 32 ++++++---- src/cisco_lib/ASA8TwiceNatLogic.h | 8 ++- src/cisco_lib/NATCompiler_asa8_writers.cpp | 11 +++- src/libgui/NATRuleOptionsDialog.cpp | 72 +++++++++++++++++++---- src/libgui/natruleoptionsdialog_q.ui | 87 +++++++++++++++++++++++----- src/libgui/platforms.cpp | 4 +- test/pix/cluster1-1_pix1.fw.orig | 4 +- test/pix/cluster1-1_pix2.fw.orig | 4 +- test/pix/cluster1_pix1.fw.orig | 4 +- test/pix/cluster1_pix2.fw.orig | 4 +- test/pix/firewall.fw.orig | 4 +- test/pix/firewall1.fw.orig | 4 +- test/pix/firewall10.fw.orig | 4 +- test/pix/firewall11.fw.orig | 4 +- test/pix/firewall12.fw.orig | 4 +- test/pix/firewall13.fw.orig | 4 +- test/pix/firewall14.fw.orig | 4 +- test/pix/firewall2.fw.orig | 4 +- test/pix/firewall20.fw.orig | 4 +- test/pix/firewall21-1.fw.orig | 4 +- test/pix/firewall21.fw.orig | 4 +- test/pix/firewall22.fw.orig | 4 +- test/pix/firewall3.fw.orig | 4 +- test/pix/firewall33.fw.orig | 4 +- test/pix/firewall34.fw.orig | 4 +- test/pix/firewall4.fw.orig | 4 +- test/pix/firewall50.fw.orig | 4 +- test/pix/firewall6.fw.orig | 4 +- test/pix/firewall8.fw.orig | 4 +- test/pix/firewall80.fw.orig | 4 +- test/pix/firewall81.fw.orig | 4 +- test/pix/firewall82.fw.orig | 4 +- test/pix/firewall83.fw.orig | 4 +- test/pix/firewall9.fw.orig | 4 +- test/pix/firewall90.fw.orig | 12 +++- test/pix/firewall91.fw.orig | 4 +- test/pix/firewall92.fw.orig | 4 +- test/pix/fwsm1.fw.orig | 4 +- test/pix/fwsm2.fw.orig | 4 +- test/pix/objects-for-regression-tests.fwb | 47 ++++++++++++++- test/pix/pix515.fw.orig | 4 +- test/pix/real.fw.orig | 4 +- 43 files changed, 302 insertions(+), 128 deletions(-) hooks/post-receive -- Firewall Builder GUI and Policy Compilers Open Source Code |