[fwbuilder-commits] [SCM] Firewall Builder GUI and Policy Compilers Open Source Code branch, develo
Brought to you by:
mikehorn
From: <gi...@ir...> - 2011-01-13 18:34:54
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "Firewall Builder GUI and Policy Compilers Open Source Code". The branch, development has been updated via 59a90aabb1908c7338f21687a6a7f8799a61f56c (commit) from f684d791c682ef45a90058d0e8dab6e2a360891f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 59a90aabb1908c7338f21687a6a7f8799a61f56c Author: Vadim Kurland <va...@sl...> Date: Thu Jan 13 10:34:36 2011 -0800 fixes #1921 add rule processor to check correctness of TSrc after object-groups have been created diff --git a/src/cisco_lib/NATCompiler_asa8.cpp b/src/cisco_lib/NATCompiler_asa8.cpp index a1dbc23..b4282eb 100644 --- a/src/cisco_lib/NATCompiler_asa8.cpp +++ b/src/cisco_lib/NATCompiler_asa8.cpp @@ -111,6 +111,52 @@ bool NATCompiler_asa8::VerifyValidityOfDNSOption::processNext() return true; } +/* + * After we call CreateObjectGroupsForTSrc to create object group for + * TSrc, it can be one of the following: + * + * - any + * - single address + * - single group (object group that was created by CreateObjectGroupsForTSrc) + * - an address and interface + * - a group and interface + * + * CreateObjectGroups::processNext() always puts interface first and group or + * address second in TSrc + */ +bool NATCompiler_asa8::VerifyValidityOfTSrc::processNext() +{ + NATRule *rule = getNext(); if (rule==NULL) return false; + + tmp_queue.push_back(rule); + + RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re); + if (tsrc_re->isAny()) return true; + if (tsrc_re->size()==1) return true; + if (tsrc_re->size()==2) + { + FWObject *obj1 = NULL; + FWObject *obj2 = NULL; + for (FWObject::iterator it=tsrc_re->begin(); it!=tsrc_re->end(); ++it) + { + if (obj1 == NULL) obj1 = FWReference::getObject(*it); + if (obj2 == NULL) obj2 = FWReference::getObject(*it); + } + if (Interface::isA(obj1) && Address::cast(obj2)!=NULL) return true; + if (Interface::isA(obj1) && Group::cast(obj2)!=NULL) return true; + QString err("Invalid combination of objects in TSrc: %1 (%2) and %3 (%4) "); + compiler->abort( + rule, + err.arg(obj1->getName().c_str()).arg(obj1->getTypeName().c_str()) + .arg(obj2->getName().c_str()).arg(obj2->getTypeName().c_str()) + .toStdString()); + } + + compiler->abort(rule, "TSrc has >2 objects"); + + return true; +} + bool NATCompiler_asa8::VerifyRules::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; @@ -307,6 +353,7 @@ void NATCompiler_asa8::compile() "Check validity of 'translate dns' option")); add( new CreateObjectGroupsForTSrc("create object groups for TSrc")); + add( new VerifyValidityOfTSrc("verify objects in TSrc")); /* REMOVE_OLD_OPTIMIZATIONS if (fw->getOptionsObject()->getBool("pix_optimize_default_nat")) diff --git a/src/cisco_lib/NATCompiler_asa8.h b/src/cisco_lib/NATCompiler_asa8.h index 44be917..d3c67d5 100644 --- a/src/cisco_lib/NATCompiler_asa8.h +++ b/src/cisco_lib/NATCompiler_asa8.h @@ -60,6 +60,12 @@ namespace fwcompiler { DECLARE_NAT_RULE_PROCESSOR(PrintObjectsForNat); + /* + * Check that TSrc has right combination of objects after + * object group has been created. Call after CreateObjectGroupsForTSrc + */ + DECLARE_NAT_RULE_PROCESSOR(VerifyValidityOfTSrc); + /** * TSrc may contain multiple objects, so we should group them * in order to put all addresses, address ranges and subnets diff --git a/src/cisco_lib/NATCompiler_asa8_writers.cpp b/src/cisco_lib/NATCompiler_asa8_writers.cpp index 73f40b6..68ba5e0 100644 --- a/src/cisco_lib/NATCompiler_asa8_writers.cpp +++ b/src/cisco_lib/NATCompiler_asa8_writers.cpp @@ -198,8 +198,10 @@ QString NATCompiler_asa8::PrintRule::printSingleObject(FWObject *obj) if (og->getId() == obj->getId()) return obj->getName().c_str(); } + if (Interface::isA(obj) && obj->isChildOf(compiler->fw)) return "interface"; + QString err("Found unknown object '%1' in the NAT rule: it is not " - "an ASA8 object nor object group"); + "an ASA8 object, object group or an interface of the firewall"); throw FWException(err.arg(obj->getName().c_str()).toStdString()); } diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 16a81db..9f81ad8 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:34 2011 PST by vadim +! Generated Thu Jan 13 10:33:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index 7703dcc..a35920f 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:34 2011 PST by vadim +! Generated Thu Jan 13 10:33:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index fd67c4a..ceb6e25 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:33 2011 PST by vadim +! Generated Thu Jan 13 10:33:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 944cea2..ef4a2fc 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:33 2011 PST by vadim +! Generated Thu Jan 13 10:33:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index a879ed4..feb8254 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:09 2011 PST by vadim +! Generated Thu Jan 13 10:33:25 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index a088304..ba466f4 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:10 2011 PST by vadim +! Generated Thu Jan 13 10:33:25 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index b90a27d..3b35ef6 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:11 2011 PST by vadim +! Generated Thu Jan 13 10:33:26 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index 4f58fdb..5875518 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:11 2011 PST by vadim +! Generated Thu Jan 13 10:33:27 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index b2318b5..3688524 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:12 2011 PST by vadim +! Generated Thu Jan 13 10:33:27 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 7f48ed0..fac1c65 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:13 2011 PST by vadim +! Generated Thu Jan 13 10:33:28 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 22423d0..bd4b852 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:13 2011 PST by vadim +! Generated Thu Jan 13 10:33:29 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 8ffab0f..50951e0 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:14 2011 PST by vadim +! Generated Thu Jan 13 10:33:29 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index ed873c8..14617f4 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:15 2011 PST by vadim +! Generated Thu Jan 13 10:33:30 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 16a8e45..3698698 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:16 2011 PST by vadim +! Generated Thu Jan 13 10:33:31 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index f608103..581f32d 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:15 2011 PST by vadim +! Generated Thu Jan 13 10:33:31 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index 9e25816..f37d08a 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:17 2011 PST by vadim +! Generated Thu Jan 13 10:33:32 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index d15d3a0..f24d298 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:17 2011 PST by vadim +! Generated Thu Jan 13 10:33:33 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index a6198b2..81d8eb5 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:18 2011 PST by vadim +! Generated Thu Jan 13 10:33:34 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index 91233c0..3ff6bd3 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:19 2011 PST by vadim +! Generated Thu Jan 13 10:33:35 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index e49caca..75b4369 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:20 2011 PST by vadim +! Generated Thu Jan 13 10:33:35 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index b24ae1c..4f31a3e 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:21 2011 PST by vadim +! Generated Thu Jan 13 10:33:36 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 61cb5c2..ba55987 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:21 2011 PST by vadim +! Generated Thu Jan 13 10:33:37 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index 969ee52..c857033 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:23 2011 PST by vadim +! Generated Thu Jan 13 10:33:38 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 9861c0f..39e8e63 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:23 2011 PST by vadim +! Generated Thu Jan 13 10:33:38 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index 37aeabf..b32757e 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:24 2011 PST by vadim +! Generated Thu Jan 13 10:33:39 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 561e879..70d1b8b 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:25 2011 PST by vadim +! Generated Thu Jan 13 10:33:40 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 31416ac..6a3fd8f 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 00:02:09 2011 PST by vadim +! Generated Thu Jan 13 10:33:40 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -137,6 +137,7 @@ quit object service http service tcp destination eq 80 quit + ! ! Rule 0 (NAT) nat (inside,outside) source static hostA:eth0 interface service http http diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index ed3f78f..682b27e 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:26 2011 PST by vadim +! Generated Thu Jan 13 10:33:41 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index 05873d2..976bf8a 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:26 2011 PST by vadim +! Generated Thu Jan 13 10:33:42 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -16,8 +16,8 @@ ! testing new style ASA 8.3 nat commands ! SNAT rules -! N firewall90:NAT:10: error: Option 'translate dns' can not be used in combination with destination matching or translation -! N firewall90:NAT:11: error: Option 'translate dns' can not be used in combination with service matching or translation +! N firewall90:NAT:12: error: Option 'translate dns' can not be used in combination with destination matching or translation +! N firewall90:NAT:13: error: Option 'translate dns' can not be used in combination with service matching or translation ! ! Prolog script: @@ -162,14 +162,23 @@ object-group network outside.id130599X29063.tsrc.net.0 object-group network outside.id20720X27505.tsrc.net.0 network-object host 22.22.22.21 - network-object host 22.22.22.22 network-object host 22.22.22.100 exit object-group network outside.id241772X29764.tsrc.net.0 network-object host 22.22.22.21 - network-object host 22.22.22.22 + exit + + +object-group network outside.id643024X27990.tsrc.net.0 + network-object host 22.22.22.30 + network-object host 22.22.22.100 + exit + + +object-group network outside.id643092X27990.tsrc.net.0 + network-object 22.22.22.128 255.255.255.224 exit @@ -209,65 +218,74 @@ nat (inside,outside) source dynamic hostA:eth0 outside.id130599X29063.tsrc.net.0 ! ! Rule 7 (NAT) ! For #1907 -nat (inside,outside) source dynamic hostA:eth0 outside.id20720X27505.tsrc.net.0 service smtp smtp +nat (inside,outside) source dynamic hostA:eth0 outside.id20720X27505.tsrc.net.0 interface service smtp smtp ! ! Rule 8 (NAT) ! For #1907 -nat (inside,outside) source dynamic hostA:eth0 outside.id241772X29764.tsrc.net.0 service smtp smtp +nat (inside,outside) source dynamic hostA:eth0 outside.id241772X29764.tsrc.net.0 interface service smtp smtp ! ! Rule 9 (NAT) +! For #1907 +nat (inside,outside) source dynamic hostA:eth0 outside.id643024X27990.tsrc.net.0 interface service smtp smtp +! +! Rule 10 (NAT) +! For #1907 +nat (inside,outside) source dynamic hostA:eth0 outside.id643092X27990.tsrc.net.0 interface service smtp smtp +! +! Rule 11 (NAT) ! for #1902 nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 dns ! -! Rule 10 (NAT) +! Rule 12 (NAT) ! for #1902 ! can't use dns with destination matching or translation -! firewall90:NAT:10: error: Option 'translate dns' can not be used in combination with destination matching or translation +! firewall90:NAT:12: error: Option 'translate dns' can not be used in combination with destination matching or translation nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 destination static spamhost1 spamhost1 dns ! -! Rule 11 (NAT) +! Rule 13 (NAT) ! for #1902 ! cant use dns with service translation either -! firewall90:NAT:11: error: Option 'translate dns' can not be used in combination with service matching or translation +! firewall90:NAT:13: error: Option 'translate dns' can not be used in combination with service matching or translation nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 service smtp smtp dns ! -! Rule 12 (NAT) +! Rule 14 (NAT) ! for #1908 ! "static" vs "dynamic" nat (inside,outside) source static hostA:eth0 firewall90:FastEthernet1:ip-1 ! -! Rule 13 (NAT) +! Rule 15 (NAT) ! for #1908 ! "static" vs "dynamic" nat (inside,outside) source dynamic hostA:eth0 outside_range ! -! Rule 14 (NAT) +! Rule 16 (NAT) ! for #1908 "static" vs "dynamic" ! for #1885 "named object" - create +! for #1907 "multiple objects in TSrc" ! network object to define address range, then add it to object-group nat (inside,outside) source dynamic hostA:eth0 outside.id21121X3710.tsrc.net.0 interface ! -! Rule 15 (NAT) -! for #1908, #1916 -! "static" vs "dynamic" +! Rule 17 (NAT) +! for #1908, #1916 "static" vs "dynamic" +! for #1907 "multiple objects in TSrc" nat (inside,outside) source dynamic hostA:eth0 outside.id21177X3720.tsrc.net.0 interface ! -! Rule 16 (NAT) +! Rule 18 (NAT) ! for #1908 ! "static" vs "dynamic" nat (outside,outside) source dynamic outside_range firewall90:FastEthernet1:ip-1 ! -! Rule 17 (NAT) +! Rule 19 (NAT) ! for #1908 ! "static" vs "dynamic" nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 ! -! Rule 18 (NAT) +! Rule 20 (NAT) ! for #1908 ! "static" vs "dynamic" nat (inside,outside) source static internal_subnet_1 firewall90:FastEthernet1:ip-1 ! -! Rule 19 (NAT) +! Rule 21 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0 service http squid diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 343777d..e060c70 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:27 2011 PST by vadim +! Generated Thu Jan 13 10:33:42 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index c96e5f5..dd28242 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:28 2011 PST by vadim +! Generated Thu Jan 13 10:33:43 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index 7b3e28f..56f84ba 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:29 2011 PST by vadim +! Generated Thu Jan 13 10:33:44 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index 28bee5e..9ca09e0 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:30 2011 PST by vadim +! Generated Thu Jan 13 10:33:45 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index 77c708a..477dce0 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -18239,7 +18239,7 @@ no sysopt nodnsalias outbound <Option name="xlate_ss">0</Option> </FirewallOptions> </Firewall> - <Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294888343" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands SNAT rules " ro="False"> + <Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294943249" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands SNAT rules " ro="False"> <NAT id="id19920X26146" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <NATRule id="id19921X26146" disabled="False" position="0" action="Translate" comment=""> <OSrc neg="False"> @@ -18410,7 +18410,7 @@ no sysopt nodnsalias outbound <TSrc neg="False"> <ObjectRef ref="id3D196750"/> <ObjectRef ref="id23297X67574"/> - <ObjectRef ref="id20111X3981"/> + <ObjectRef ref="id19852X26146"/> </TSrc> <TDst neg="False"> <ObjectRef ref="sysid0"/> @@ -18434,7 +18434,53 @@ no sysopt nodnsalias outbound </OSrv> <TSrc neg="False"> <ObjectRef ref="id3D196750"/> - <ObjectRef ref="id20111X3981"/> + <ObjectRef ref="id19852X26146"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="sysid0"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="sysid1"/> + </TSrv> + <NATRuleOptions> + <Option name="color">#C0BA44</Option> + </NATRuleOptions> + </NATRule> + <NATRule id="id643024X27990" disabled="False" group="" position="9" action="Translate" comment="For #1907 "> + <OSrc neg="False"> + <ObjectRef ref="host-hostA"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="sysid0"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="tcp-SMTP"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="id21078X3710"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="sysid0"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="sysid1"/> + </TSrv> + <NATRuleOptions> + <Option name="color">#C0BA44</Option> + </NATRuleOptions> + </NATRule> + <NATRule id="id643092X27990" disabled="False" group="" position="10" action="Translate" comment="For #1907 "> + <OSrc neg="False"> + <ObjectRef ref="host-hostA"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="sysid0"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="tcp-SMTP"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="id21119X3720"/> </TSrc> <TDst neg="False"> <ObjectRef ref="sysid0"/> @@ -18446,7 +18492,7 @@ no sysopt nodnsalias outbound <Option name="color">#C0BA44</Option> </NATRuleOptions> </NATRule> - <NATRule id="id168272X32146" disabled="False" group="" position="9" action="Translate" comment="for #1902 "> + <NATRule id="id168272X32146" disabled="False" group="" position="11" action="Translate" comment="for #1902 "> <OSrc neg="False"> <ObjectRef ref="id178241X29963"/> </OSrc> @@ -18470,7 +18516,7 @@ no sysopt nodnsalias outbound <Option name="color">#8BC065</Option> </NATRuleOptions> </NATRule> - <NATRule id="id168336X32146" disabled="False" group="" position="10" action="Translate" comment="for #1902 can't use dns with destination matching or translation "> + <NATRule id="id168336X32146" disabled="False" group="" position="12" action="Translate" comment="for #1902 can't use dns with destination matching or translation "> <OSrc neg="False"> <ObjectRef ref="id178241X29963"/> </OSrc> @@ -18494,7 +18540,7 @@ no sysopt nodnsalias outbound <Option name="color">#8BC065</Option> </NATRuleOptions> </NATRule> - <NATRule id="id168390X32146" disabled="False" group="" position="11" action="Translate" comment="for #1902 cant use dns with service translation either "> + <NATRule id="id168390X32146" disabled="False" group="" position="13" action="Translate" comment="for #1902 cant use dns with service translation either "> <OSrc neg="False"> <ObjectRef ref="id178241X29963"/> </OSrc> @@ -18519,7 +18565,7 @@ no sysopt nodnsalias outbound <Option name="color">#8BC065</Option> </NATRuleOptions> </NATRule> - <NATRule id="id20877X22142" disabled="False" group="" position="12" action="Translate" comment="for #1908 "static" vs "dynamic" "> + <NATRule id="id20877X22142" disabled="False" group="" position="14" action="Translate" comment="for #1908 "static" vs "dynamic" "> <OSrc neg="False"> <ObjectRef ref="host-hostA"/> </OSrc> @@ -18546,7 +18592,7 @@ no sysopt nodnsalias outbound <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> - <NATRule id="id76573X22142" disabled="False" group="" position="13" action="Translate" comment="for #1908 "static" vs "dynamic" "> + <NATRule id="id76573X22142" disabled="False" group="" position="15" action="Translate" comment="for #1908 "static" vs "dynamic" "> <OSrc neg="False"> <ObjectRef ref="host-hostA"/> </OSrc> @@ -18573,7 +18619,7 @@ no sysopt nodnsalias outbound <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> - <NATRule id="id21121X3710" disabled="False" group="" position="14" action="Translate" comment="for #1908 "static" vs "dynamic" for #1885 "named object" - create network object to define address range, then add it to object-group"> + <NATRule id="id21121X3710" disabled="False" group="" position="16" action="Translate" comment="for #1908 "static" vs "dynamic" for #1885 "named object" - create for #1907 "multiple objects in TSrc" network object to define address range, then add it to object-group"> <OSrc neg="False"> <ObjectRef ref="host-hostA"/> </OSrc> @@ -18600,7 +18646,7 @@ no sysopt nodnsalias outbound <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> - <NATRule id="id21177X3720" disabled="False" group="" position="15" action="Translate" comment="for #1908, #1916 "static" vs "dynamic" "> + <NATRule id="id21177X3720" disabled="False" group="" position="17" action="Translate" comment="for #1908, #1916 "static" vs "dynamic" for #1907 "multiple objects in TSrc" "> <OSrc neg="False"> <ObjectRef ref="host-hostA"/> </OSrc> @@ -18627,7 +18673,7 @@ no sysopt nodnsalias outbound <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> - <NATRule id="id132365X22142" disabled="False" group="" position="16" action="Translate" comment="for #1908 "static" vs "dynamic" "> + <NATRule id="id132365X22142" disabled="False" group="" position="18" action="Translate" comment="for #1908 "static" vs "dynamic" "> <OSrc neg="False"> <ObjectRef ref="id3D196750"/> </OSrc> @@ -18654,7 +18700,7 @@ no sysopt nodnsalias outbound <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> - <NATRule id="id188268X22142" disabled="False" group="" position="17" action="Translate" comment="for #1908 "static" vs "dynamic" "> + <NATRule id="id188268X22142" disabled="False" group="" position="19" action="Translate" comment="for #1908 "static" vs "dynamic" "> <OSrc neg="False"> <ObjectRef ref="id178241X29963"/> </OSrc> @@ -18678,7 +18724,7 @@ no sysopt nodnsalias outbound <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> - <NATRule id="id244282X22142" disabled="False" group="" position="18" action="Translate" comment="for #1908 "static" vs "dynamic" "> + <NATRule id="id244282X22142" disabled="False" group="" position="20" action="Translate" comment="for #1908 "static" vs "dynamic" "> <OSrc neg="False"> <ObjectRef ref="id178241X29963"/> </OSrc> @@ -18705,7 +18751,7 @@ no sysopt nodnsalias outbound <Option name="color">#7694C0</Option> </NATRuleOptions> </NATRule> - <NATRule id="id301880X21607" disabled="False" group="" position="19" action="Translate" comment=""> + <NATRule id="id301880X21607" disabled="False" group="" position="21" action="Translate" comment=""> <OSrc neg="False"> <ObjectRef ref="sysid0"/> </OSrc> diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index 1431303..53fe7bb 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:31 2011 PST by vadim +! Generated Thu Jan 13 10:33:46 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 05eaa5b..7926067 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3430 ! -! Generated Thu Jan 13 10:09:31 2011 PST by vadim +! Generated Thu Jan 13 10:33:47 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ----------------------------------------------------------------------- Summary of changes: src/cisco_lib/NATCompiler_asa8.cpp | 47 ++++++++++++++++++ src/cisco_lib/NATCompiler_asa8.h | 6 ++ src/cisco_lib/NATCompiler_asa8_writers.cpp | 4 +- test/pix/cluster1-1_pix1.fw.orig | 2 +- test/pix/cluster1-1_pix2.fw.orig | 2 +- test/pix/cluster1_pix1.fw.orig | 2 +- test/pix/cluster1_pix2.fw.orig | 2 +- test/pix/firewall.fw.orig | 2 +- test/pix/firewall1.fw.orig | 2 +- test/pix/firewall10.fw.orig | 2 +- test/pix/firewall11.fw.orig | 2 +- test/pix/firewall12.fw.orig | 2 +- test/pix/firewall13.fw.orig | 2 +- test/pix/firewall14.fw.orig | 2 +- test/pix/firewall2.fw.orig | 2 +- test/pix/firewall20.fw.orig | 2 +- test/pix/firewall21-1.fw.orig | 2 +- test/pix/firewall21.fw.orig | 2 +- test/pix/firewall22.fw.orig | 2 +- test/pix/firewall3.fw.orig | 2 +- test/pix/firewall33.fw.orig | 2 +- test/pix/firewall34.fw.orig | 2 +- test/pix/firewall4.fw.orig | 2 +- test/pix/firewall50.fw.orig | 2 +- test/pix/firewall6.fw.orig | 2 +- test/pix/firewall8.fw.orig | 2 +- test/pix/firewall80.fw.orig | 2 +- test/pix/firewall81.fw.orig | 2 +- test/pix/firewall82.fw.orig | 2 +- test/pix/firewall83.fw.orig | 3 +- test/pix/firewall9.fw.orig | 2 +- test/pix/firewall90.fw.orig | 60 +++++++++++++++-------- test/pix/firewall91.fw.orig | 2 +- test/pix/firewall92.fw.orig | 2 +- test/pix/fwsm1.fw.orig | 2 +- test/pix/fwsm2.fw.orig | 2 +- test/pix/objects-for-regression-tests.fwb | 74 ++++++++++++++++++++++----- test/pix/pix515.fw.orig | 2 +- test/pix/real.fw.orig | 2 +- 39 files changed, 190 insertions(+), 70 deletions(-) hooks/post-receive -- Firewall Builder GUI and Policy Compilers Open Source Code |