[fwbuilder-commits] [SCM] Firewall Builder GUI and Policy Compilers Open Source Code branch, develo
Brought to you by:
mikehorn
From: <gi...@ir...> - 2011-01-17 22:36:09
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "Firewall Builder GUI and Policy Compilers Open Source Code". The branch, development has been updated via ca475b24d70b7501d7edc316d25c18840638a7b5 (commit) from 8a91ae3882442d9ce227477583e1498a099e1559 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit ca475b24d70b7501d7edc316d25c18840638a7b5 Author: Vadim Kurland <va...@sl...> Date: Mon Jan 17 14:35:55 2011 -0800 fixes #1948 incorrect configuration created when a CustomService object is used in a policy rule for PIX/ASA v<8.3 diff --git a/doc/ChangeLog b/doc/ChangeLog index 30be888..505dc2b 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,11 @@ 2011-01-17 vadim <va...@ne...> + * PolicyCompiler_pix.cpp (processNext): fixes #1948 "incorrect + configuration created when a CustomService object is used in a + policy rule for PIX/ASA v<8.3". Since we do not support custom + service objects in policy and nat rules for versions older than + 8.3, added check to generate fatal error when such object is used. + * NamedObjectsAndGroupsSupport.cpp (init): fixes #1945 "object-group names include ever-growing suffix". Object-groups created by the compiler for PIX/ASA had numerical suffix that was diff --git a/src/cisco_lib/NATCompiler_asa8.cpp b/src/cisco_lib/NATCompiler_asa8.cpp index a3a17e8..46d0ff0 100644 --- a/src/cisco_lib/NATCompiler_asa8.cpp +++ b/src/cisco_lib/NATCompiler_asa8.cpp @@ -352,6 +352,7 @@ void NATCompiler_asa8::compile() add( new VerifyValidityOfDNSOption( "Check validity of 'translate dns' option")); + add( new SpecialServicesOSrv( "check for special services" )); add( new CreateObjectGroupsForOSrc("create object groups for OSrc")); add( new CreateObjectGroupsForODst("create object groups for ODst")); diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp index b270ed9..fbfef26 100644 --- a/src/cisco_lib/NATCompiler_pix.cpp +++ b/src/cisco_lib/NATCompiler_pix.cpp @@ -1728,6 +1728,8 @@ void NATCompiler_pix::compile() if (fw->getOptionsObject()->getBool("pix_optimize_default_nat")) add (new clearOSrc ("clear OSrc" )); + add( new SpecialServicesOSrv( "check for special services" )); + add( new createNATCmd ("create NAT commands" )); add( new createStaticCmd ("create static commands" )); add( new mergeNATCmd ("merge NAT commands" )); diff --git a/src/cisco_lib/NATCompiler_pix.h b/src/cisco_lib/NATCompiler_pix.h index 44185fa..e6549ca 100644 --- a/src/cisco_lib/NATCompiler_pix.h +++ b/src/cisco_lib/NATCompiler_pix.h @@ -31,6 +31,7 @@ #include "Helper.h" #include "NamedObjectsAndGroupsSupport.h" #include "splitByNetworkZonesForRE.h" +#include "specialServices.h" #include <map> #include <deque> @@ -278,6 +279,13 @@ namespace fwcompiler { DECLARE_NAT_RULE_PROCESSOR( clearOSrc ); friend class NATCompiler_pix::clearOSrc; + class SpecialServicesOSrv : public SpecialServices + { + public: + SpecialServicesOSrv(const std::string &n): + SpecialServices(n, libfwbuilder::RuleElementOSrv::TYPENAME) {} + }; + /** * eliminates duplicate objects in SRC. Uses default comparison * in eliminateDuplicatesInRE which compares IDs diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp index 148f20c..2a42b4a 100644 --- a/src/cisco_lib/PolicyCompiler_pix.cpp +++ b/src/cisco_lib/PolicyCompiler_pix.cpp @@ -38,6 +38,7 @@ #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" +#include "fwbuilder/CustomService.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" @@ -251,46 +252,6 @@ bool PolicyCompiler_pix::checkVersionAndDynamicInterface::processNext() return true; } -bool PolicyCompiler_pix::SpecialServices::processNext() -{ - PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler); - PolicyRule *rule=getNext(); if (rule==NULL) return false; - Service *s=compiler->getFirstSrv(rule); - - if (IPService::cast(s)!=NULL) { - if (s->getBool("short_fragm") || - s->getBool("fragm") ) { - - pix_comp->fragguard=true; - return true; // do not copy the rule - } - if (s->getBool("rr") || - s->getBool("ssrr") || - s->getBool("ts") ) - { - compiler->abort( - rule, - "PIX does not support checking for IP options in ACLs."); - return true; - } - } - if (TCPService::cast(s)!=NULL) { - if (s->getBool("ack_flag") || - s->getBool("fin_flag") || - s->getBool("rst_flag") || - s->getBool("syn_flag") ) - { - compiler->abort( - rule, - "PIX does not support checking for TCP options in ACLs."); - return true; - } - } - - tmp_queue.push_back(rule); - return true; -} - /* * if dst contains firewall, it must be a single object there. */ @@ -651,7 +612,7 @@ void PolicyCompiler_pix::compile() else add( new pickACL_v6( "assign ACLs for v6" )); - add( new SpecialServices( "check for special services" )); + add( new SpecialServicesSrv( "check for special services" )); add( new CheckForUnsupportedUserService("check for user service") ); add( new checkForZeroAddr( "check for zero addresses" )); add( new checkVersionAndDynamicInterface( diff --git a/src/cisco_lib/PolicyCompiler_pix.h b/src/cisco_lib/PolicyCompiler_pix.h index 5c9c8ca..e0fc1b4 100644 --- a/src/cisco_lib/PolicyCompiler_pix.h +++ b/src/cisco_lib/PolicyCompiler_pix.h @@ -34,6 +34,7 @@ #include "Helper.h" #include "ACL.h" #include "PolicyCompiler_cisco.h" +#include "specialServices.h" namespace libfwbuilder { class IPService; @@ -149,19 +150,14 @@ namespace fwcompiler { ************************************************************************* */ - /** - * this processor checks for the services which require - * special treatment. Some of these will be checking for - * source or destination object as well because special - * command may need to be generated in case source or - * destination is a firewall itself. Therefore this processor - * should be called after converting to atomic rules, but - * before interface addresses in source and destination are - * expanded. - */ - DECLARE_POLICY_RULE_PROCESSOR( SpecialServices ); - friend class PolicyCompiler_pix::SpecialServices; - + class SpecialServicesSrv : public SpecialServices + { + public: + SpecialServicesSrv(const std::string &n): + SpecialServices(n, libfwbuilder::RuleElementSrv::TYPENAME) {} + }; + friend class SpecialServices; + /** * sets boolean flag icmp_cmd to be able to generate command * "icmp" instead of "access-list" later. Call this processor diff --git a/src/cisco_lib/cisco_lib.pro b/src/cisco_lib/cisco_lib.pro index 621d8b7..4b7dcd7 100644 --- a/src/cisco_lib/cisco_lib.pro +++ b/src/cisco_lib/cisco_lib.pro @@ -10,6 +10,7 @@ SOURCES = PolicyCompiler_cisco.cpp \ RoutingCompiler_cisco.cpp \ RoutingCompiler_cisco_writers.cpp \ splitByNetworkZonesForRE.cpp \ + specialServices.cpp \ ACL.cpp \ NamedObject.cpp \ ASA8TwiceNatLogic.cpp \ @@ -54,6 +55,7 @@ SOURCES = PolicyCompiler_cisco.cpp \ HEADERS = ../../config.h \ splitByNetworkZonesForRE.h \ + specialServices.h \ ACL.h \ Helper.h \ NamedObject.h \ diff --git a/src/cisco_lib/specialServices.cpp b/src/cisco_lib/specialServices.cpp new file mode 100644 index 0000000..b54badf --- /dev/null +++ b/src/cisco_lib/specialServices.cpp @@ -0,0 +1,93 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland va...@fw... + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +#include "specialServices.h" +#include "PolicyCompiler_pix.h" + +#include "fwbuilder/IPService.h" +#include "fwbuilder/TCPService.h" +#include "fwbuilder/CustomService.h" +#include "fwcompiler/Compiler.h" + + +using namespace libfwbuilder; +using namespace fwcompiler; +using namespace std; + + +bool SpecialServices::processNext() +{ + PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler); + Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; + RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); + FWObject *obj = FWReference::getObject(re->front()); + Service *s = Service::cast(obj); + + string version = compiler->fw->getStr("version"); + + if (IPService::cast(s)!=NULL) + { + if (s->getBool("short_fragm") || + s->getBool("fragm") ) + { + if (pix_comp) pix_comp->fragguard = true; + return true; // do not copy the rule + } + if (s->getBool("rr") || + s->getBool("ssrr") || + s->getBool("ts") ) + { + compiler->abort( + rule, + "PIX does not support checking for IP options in ACLs."); + return true; + } + } + + if (TCPService::cast(s)!=NULL) + { + if (s->getBool("ack_flag") || + s->getBool("fin_flag") || + s->getBool("rst_flag") || + s->getBool("syn_flag") ) + { + compiler->abort( + rule, + "PIX does not support checking for TCP options in ACLs."); + return true; + } + } + + if (CustomService::cast(s)!=NULL && + XMLTools::version_compare(version, "8.3")<0) + { + compiler->abort( + rule, + "CustomService objects are only supported for ASA 8.3 and later"); + return true; + } + + tmp_queue.push_back(rule); + return true; +} + diff --git a/src/cisco_lib/specialServices.h b/src/cisco_lib/specialServices.h new file mode 100644 index 0000000..4f3a9d8 --- /dev/null +++ b/src/cisco_lib/specialServices.h @@ -0,0 +1,59 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland va...@fw... + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + + +#ifndef __SPECIALSERVICES_HH +#define __SPECIALSERVICES_HH + +#include "fwbuilder/RuleElement.h" +#include "fwcompiler/RuleProcessor.h" + +namespace libfwbuilder { + class Address; + class Rule; +}; + +namespace fwcompiler +{ + + /** + * this processor checks for the services which require + * special treatment. Some of these will be checking for + * source or destination object as well because special + * command may need to be generated in case source or + * destination is a firewall itself. Therefore this processor + * should be called after converting to atomic rules, but + * before interface addresses in source and destination are + * expanded. + */ + class SpecialServices : public BasicRuleProcessor + { + std::string re_type; +public: + SpecialServices(const std::string &name, const std::string &_type) : + BasicRuleProcessor(name) {re_type=_type; } + virtual bool processNext(); + }; +} + +#endif diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 02524df..069412a 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:26 2011 PST by vadim +! Generated Mon Jan 17 14:35:09 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index eed2594..99220f8 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:26 2011 PST by vadim +! Generated Mon Jan 17 14:35:09 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index 0568103..7ff8942 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:26 2011 PST by vadim +! Generated Mon Jan 17 14:35:09 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 7086645..a2fe232 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:26 2011 PST by vadim +! Generated Mon Jan 17 14:35:09 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index 9fa73c5..80b686e 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:00 2011 PST by vadim +! Generated Mon Jan 17 14:34:43 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 0ffcfcd..37da552 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:01 2011 PST by vadim +! Generated Mon Jan 17 14:34:44 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index c630ceb..af11917 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:02 2011 PST by vadim +! Generated Mon Jan 17 14:34:44 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index cc78245..7b0e778 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:03 2011 PST by vadim +! Generated Mon Jan 17 14:34:45 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 763c602..bcdbe7e 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:03 2011 PST by vadim +! Generated Mon Jan 17 14:34:46 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 30ef5d3..93e01b1 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:04 2011 PST by vadim +! Generated Mon Jan 17 14:34:47 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index bd5e852..885d42e 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:05 2011 PST by vadim +! Generated Mon Jan 17 14:34:47 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 4014739..45cae79 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:05 2011 PST by vadim +! Generated Mon Jan 17 14:34:48 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index 090ef69..14a3784 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:06 2011 PST by vadim +! Generated Mon Jan 17 14:34:49 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 0c9ea3f..e9563ed 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:07 2011 PST by vadim +! Generated Mon Jan 17 14:34:50 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 626351f..b98931f 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:07 2011 PST by vadim +! Generated Mon Jan 17 14:34:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index ad802a6..45af547 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:08 2011 PST by vadim +! Generated Mon Jan 17 14:34:51 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index 8dabc13..747d141 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:09 2011 PST by vadim +! Generated Mon Jan 17 14:34:52 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index 248e94e..f550838 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:10 2011 PST by vadim +! Generated Mon Jan 17 14:34:53 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index 32c505e..f053a5f 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:11 2011 PST by vadim +! Generated Mon Jan 17 14:34:54 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 40ff304..d4c11ce 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:11 2011 PST by vadim +! Generated Mon Jan 17 14:34:54 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index dd8d5d5..2603f43 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:12 2011 PST by vadim +! Generated Mon Jan 17 14:34:55 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 3439b52..56ec6b6 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:13 2011 PST by vadim +! Generated Mon Jan 17 14:34:56 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index d162e47..6a8bb15 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:14 2011 PST by vadim +! Generated Mon Jan 17 14:34:57 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 4588b54..20be26c 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:15 2011 PST by vadim +! Generated Mon Jan 17 14:34:58 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported @@ -15,7 +15,12 @@ ! ! testing rules with broadcasts -! C firewall80:Policy:: error: ASA8ObjectGroup: Unsupported object 'custom serv 1' found in object group +! C firewall80:Policy:9: error: CustomService objects are only supported for ASA 8.3 and later +! C firewall80:Policy:9: error: CustomService objects are only supported for ASA 8.3 and later +! C firewall80:Policy:10: error: CustomService objects are only supported for ASA 8.3 and later +! C firewall80:Policy:10: error: CustomService objects are only supported for ASA 8.3 and later + +! N firewall80:NAT:0: error: CustomService objects are only supported for ASA 8.3 and later ! ! Prolog script: @@ -123,7 +128,6 @@ object-group service inside.id21447X11252.srv.mixed.0 service-object tcp eq 3128 exit - ! ! Rule 0 (FastEthernet1) ssh 0.0.0.0 0.0.0.0 inside @@ -171,18 +175,6 @@ icmp permit 192.168.1.0 255.255.255.192 3 inside access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.192 host 192.168.1.1 object-group inside.id21447X11252.srv.icmp.0 access-list inside_acl_in permit 192.168.1.0 255.255.255.192 any object-group inside.id21447X11252.srv.mixed.0 ! -! Rule 9 (global) -! for #1942 -! using custom service -access-list outside_acl_in deny any any host 192.168.1.10 -access-list inside_acl_in deny any any host 192.168.1.10 -! -! Rule 10 (global) -! for #1942 -! using custom service -access-list outside_acl_in deny any host 192.168.1.10 object-group outside.id79024X21575.srv.mixed.0 -access-list inside_acl_in deny any host 192.168.1.10 object-group outside.id79024X21575.srv.mixed.0 -! ! Rule 11 (global) access-list outside_acl_in deny ip any any access-list inside_acl_in deny ip any any diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index 321d447..5ad40fd 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:15 2011 PST by vadim +! Generated Mon Jan 17 14:34:58 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 9bb95db..51cd69e 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:16 2011 PST by vadim +! Generated Mon Jan 17 14:34:59 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 052ed07..0fe194d 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:17 2011 PST by vadim +! Generated Mon Jan 17 14:35:00 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index bfe06d3..4658dd0 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:17 2011 PST by vadim +! Generated Mon Jan 17 14:35:00 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index c1b4680..43d4536 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:18 2011 PST by vadim +! Generated Mon Jan 17 14:35:01 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 6bdfb6f..c3ee795 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:19 2011 PST by vadim +! Generated Mon Jan 17 14:35:02 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index ae16cc7..ded589d 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:20 2011 PST by vadim +! Generated Mon Jan 17 14:35:03 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index c9d53ad..3ed8e9e 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:20 2011 PST by vadim +! Generated Mon Jan 17 14:35:03 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index aed3ff0..7010e94 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:21 2011 PST by vadim +! Generated Mon Jan 17 14:35:04 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index 6b79879..6fc321d 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:22 2011 PST by vadim +! Generated Mon Jan 17 14:35:05 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index 557c978..eec2ecf 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -17021,8 +17021,29 @@ no sysopt nodnsalias outbound </Option> </FirewallOptions> </Firewall> - <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295243635" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False"> + <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295302047" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False"> <NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> + <NATRule id="id70310X19497" disabled="False" position="0" action="Translate" comment=""> + <OSrc neg="False"> + <ObjectRef ref="sysid0"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="id86637X27607"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="id21571X21575"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="sysid0"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="host-hostA"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="sysid1"/> + </TSrv> + <NATRuleOptions/> + </NATRule> <RuleSetOptions/> </NAT> <Policy id="id18883X29796" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index fceb061..b52af4d 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:23 2011 PST by vadim +! Generated Mon Jan 17 14:35:06 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 0ed3f6e..58666f3 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:24 2011 PST by vadim +! Generated Mon Jan 17 14:35:07 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported ----------------------------------------------------------------------- Summary of changes: doc/ChangeLog | 6 ++ src/cisco_lib/NATCompiler_asa8.cpp | 1 + src/cisco_lib/NATCompiler_pix.cpp | 2 + src/cisco_lib/NATCompiler_pix.h | 8 ++ src/cisco_lib/PolicyCompiler_pix.cpp | 43 +--------- src/cisco_lib/PolicyCompiler_pix.h | 22 ++--- src/cisco_lib/cisco_lib.pro | 2 + src/cisco_lib/specialServices.cpp | 93 ++++++++++++++++++++ ...plitByNetworkZonesForRE.h => specialServices.h} | 29 +++--- test/pix/cluster1-1_pix1.fw.orig | 2 +- test/pix/cluster1-1_pix2.fw.orig | 2 +- test/pix/cluster1_pix1.fw.orig | 2 +- test/pix/cluster1_pix2.fw.orig | 2 +- test/pix/firewall.fw.orig | 2 +- test/pix/firewall1.fw.orig | 2 +- test/pix/firewall10.fw.orig | 2 +- test/pix/firewall11.fw.orig | 2 +- test/pix/firewall12.fw.orig | 2 +- test/pix/firewall13.fw.orig | 2 +- test/pix/firewall14.fw.orig | 2 +- test/pix/firewall2.fw.orig | 2 +- test/pix/firewall20.fw.orig | 2 +- test/pix/firewall21-1.fw.orig | 2 +- test/pix/firewall21.fw.orig | 2 +- test/pix/firewall22.fw.orig | 2 +- test/pix/firewall3.fw.orig | 2 +- test/pix/firewall33.fw.orig | 2 +- test/pix/firewall34.fw.orig | 2 +- test/pix/firewall4.fw.orig | 2 +- test/pix/firewall50.fw.orig | 2 +- test/pix/firewall6.fw.orig | 2 +- test/pix/firewall8.fw.orig | 2 +- test/pix/firewall80.fw.orig | 22 ++--- test/pix/firewall81.fw.orig | 2 +- test/pix/firewall82.fw.orig | 2 +- test/pix/firewall83.fw.orig | 2 +- test/pix/firewall9.fw.orig | 2 +- test/pix/firewall90.fw.orig | 2 +- test/pix/firewall91.fw.orig | 2 +- test/pix/firewall92.fw.orig | 2 +- test/pix/firewall93.fw.orig | 2 +- test/pix/fwsm1.fw.orig | 2 +- test/pix/fwsm2.fw.orig | 2 +- test/pix/objects-for-regression-tests.fwb | 23 +++++- test/pix/pix515.fw.orig | 2 +- test/pix/real.fw.orig | 2 +- 46 files changed, 202 insertions(+), 119 deletions(-) create mode 100644 src/cisco_lib/specialServices.cpp copy src/cisco_lib/{splitByNetworkZonesForRE.h => specialServices.h} (64%) hooks/post-receive -- Firewall Builder GUI and Policy Compilers Open Source Code |