onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 11:47:24 +01:00
Code Issues Releases Wiki Activity

* NamedObjectsAndGroupsSupport.cpp (processNext): Added support for

Browse Source 
CustomService objects in policy and nat rules for asa 8.3 using
named objects and object-groups.
 -- see #1942 "ASA NAT - if custom service is included in service
group incorrect config generated"
 -- see #1929 "move map named_objects inside class NamedObjectManager"
 -- see #1946 "restrict generation of the named objects by
PolicyCompiler_pix to ASA 8"
 -- see #1885 "named network and service objects in pix8"
This commit is contained in:
Vadim Kurland 2011-01-16 23:02:49 -08:00
parent e2c2725e6b
commit 139d5ce2de
84 changed files with 534 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/ChangeLog
View File

@ -1,5 +1,15 @@
2011-01-16 vadim <vadim@netcitadel.com>
* NamedObjectsAndGroupsSupport.cpp (processNext): Added support for
CustomService objects in policy and nat rules for asa 8.3 using
named objects and object-groups.
-- see #1942 "ASA NAT - if custom service is included in service
group incorrect config generated"
-- see #1929 "move map named_objects inside class NamedObjectManager"
-- see #1946 "restrict generation of the named objects by
PolicyCompiler_pix to ASA 8"
-- see #1885 "named network and service objects in pix8"
* NATCompiler_pix.cpp (processNext): see #1941 "ASA NAT - compiler
complains about range in original destination". NAT rules
translating destination allow Address Range objects in ODst or TDst

18
src/cisco_lib/ASA8ObjectGroup.cpp
View File

@ -26,6 +26,7 @@
#include "config.h"
#include "ASA8ObjectGroup.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/Network.h"
@ -41,9 +42,10 @@ using namespace libfwbuilder;
using namespace std;
using namespace fwcompiler;
const char *ASA8ObjectGroup::TYPENAME={"ASA8ObjectGroup"};
string ASA8ObjectGroup::toString(std::map<int, NamedObject*> &named_objects_registry)
string ASA8ObjectGroup::toString(NamedObjectManager *named_object_manager)
throw(FWException)
{
ostringstream ostr;
@ -58,11 +60,14 @@ string ASA8ObjectGroup::toString(std::map<int, NamedObject*> &named_objects_regi
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
NamedObject *named_object = named_objects_registry[obj->getId()];
NamedObject *named_object =
named_object_manager->named_objects[obj->getId()];
if (named_object)
{
ostr << " "
<< named_object->getCommandWhenObjectGroupMember().toStdString();
<< named_object->getCommandWhenObjectGroupMember(
named_object_manager->fw).toStdString();
ostr << endl;
continue;
}
@ -134,7 +139,8 @@ string ASA8ObjectGroup::toString(std::map<int, NamedObject*> &named_objects_regi
continue;
}
throw FWException("ASA8ObjectGroup: Unknown object group type");
QString err("ASA8ObjectGroup: Unsupported object '%1' found in object group");
throw FWException(err.arg(obj->getName().c_str()).toStdString());
}
}
ostr << " exit" << endl << endl;
@ -145,10 +151,8 @@ string ASA8ObjectGroup::getObjectGroupClass()
{
switch (this->getObjectGroupType())
{
case NETWORK: return "network";
case MIXED_SERVICE: return "service";;
default:
throw FWException("ASA8ObjectGroup: Unknown object group type");
default: return BaseObjectGroup::getObjectGroupClass();
}
}

2
src/cisco_lib/ASA8ObjectGroup.h
View File

@ -40,7 +40,7 @@ public:
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string toString(std::map<int, NamedObject*> &named_objects_registry)
virtual std::string toString(NamedObjectManager *named_obj_manager)
throw(libfwbuilder::FWException);
};

4
src/cisco_lib/BaseObjectGroup.cpp
View File

@ -33,6 +33,7 @@
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h"
#include <iostream>
#include <sstream>
@ -74,6 +75,7 @@ void BaseObjectGroup::setObjectGroupTypeFromFWObject(FWObject *obj)
if (ICMPService::cast(obj)!=NULL) setObjectGroupType(ICMP_TYPE);
if (TCPService::cast(obj)!=NULL) setObjectGroupType(TCP_SERVICE);
if (UDPService::cast(obj)!=NULL) setObjectGroupType(UDP_SERVICE);
if (CustomService::cast(obj)!=NULL) setObjectGroupType(MIXED_SERVICE);
}
void BaseObjectGroup::setName(const std::string &prefix)
@ -132,7 +134,7 @@ string BaseObjectGroup::getObjectGroupClass()
return "";
}
string BaseObjectGroup::toString(std::map<int, NamedObject*>&) throw(FWException)
string BaseObjectGroup::toString(NamedObjectManager*) throw(FWException)
{
return "";
}

4
src/cisco_lib/BaseObjectGroup.h
View File

@ -35,6 +35,8 @@
namespace fwcompiler {
class NamedObjectManager;
class BaseObjectGroup : public libfwbuilder::Group {
public:
@ -76,7 +78,7 @@ BaseObjectGroup(object_group_type _gt=UNKNOWN) : libfwbuilder::Group() {
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string toString(std::map<int, NamedObject*> &named_objects_registry)
virtual std::string toString(NamedObjectManager *named_obj_manager)
throw(libfwbuilder::FWException);
};

4
src/cisco_lib/CompilerDriver_iosacl_run.cpp
View File

@ -185,6 +185,8 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
if (!single_rule_compile_on)
system_configuration_script = safetyNetInstall(fw);
NamedObjectManager named_object_manager(fw);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
// be generated. If "-6" is used, only ipv6 part will be generated.
@ -235,6 +237,7 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
PolicyCompiler_iosacl c(objdb, fw, ipv6_policy, oscnf.get());
c.setNamedObjectManager(&named_object_manager);
c.setSourceRuleSet( policy );
c.setRuleSetName(policy->getName());
@ -283,6 +286,7 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
// currently routing is supported only for ipv4
RoutingCompiler_iosacl r(objdb, fw, false, oscnf.get());
r.setNamedObjectManager(&named_object_manager);
r.setSourceRuleSet(routing);
r.setRuleSetName(routing->getName());

5
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -288,6 +288,8 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
copies_of_cluster_interfaces.pop_front();
}
NamedObjectManager named_object_manager(fw);
all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i)
@ -373,6 +375,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
RuleSet *nat = RuleSet::cast(fw->getFirstByType(NAT::TYPENAME));
if (nat)
{
n->setNamedObjectManager(&named_object_manager);
n->setSourceRuleSet(nat);
n->setRuleSetName(nat->getName());
@ -397,6 +400,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
RuleSet *policy = RuleSet::cast(fw->getFirstByType(Policy::TYPENAME));
if (policy)
{
c->setNamedObjectManager(&named_object_manager);
c->setSourceRuleSet(policy);
c->setRuleSetName(policy->getName());
@ -421,6 +425,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
RuleSet *routing = RuleSet::cast(fw->getFirstByType(Routing::TYPENAME));
if (routing)
{
r->setNamedObjectManager(&named_object_manager);
r->setSourceRuleSet(routing);
r->setRuleSetName(routing->getName());

4
src/cisco_lib/CompilerDriver_procurve_acl_run.cpp
View File

@ -172,6 +172,8 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
if (!single_rule_compile_on)
system_configuration_script = safetyNetInstall(fw);
NamedObjectManager named_object_manager(fw);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
// be generated. If "-6" is used, only ipv6 part will be generated.
@ -222,6 +224,7 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
PolicyCompiler_procurve_acl c(objdb, fw, ipv6_policy, oscnf.get());
c.setNamedObjectManager(&named_object_manager);
c.setSourceRuleSet( policy );
c.setRuleSetName(policy->getName());
@ -270,6 +273,7 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
// currently routing is supported only for ipv4
RoutingCompiler_procurve_acl r(objdb, fw, false, oscnf.get());
r.setNamedObjectManager(&named_object_manager);
r.setSourceRuleSet(routing);
r.setRuleSetName(routing->getName());

2
src/cisco_lib/IOSObjectGroup.cpp
View File

@ -45,7 +45,7 @@ using namespace std;
const char *IOSObjectGroup::TYPENAME={"IOSObjectGroup"};
string IOSObjectGroup::toString(std::map<int, NamedObject*>&) throw(FWException)
string IOSObjectGroup::toString(NamedObjectManager*) throw(FWException)
{
ostringstream ostr;

2
src/cisco_lib/IOSObjectGroup.h
View File

@ -40,7 +40,7 @@ public:
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string toString(std::map<int, NamedObject*> &named_objects_registry)
virtual std::string toString(NamedObjectManager *named_obj_manager)
throw(libfwbuilder::FWException);
};

6
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -381,8 +381,10 @@ void NATCompiler_asa8::compile()
*/
add( new PrintClearCommands("Clear ACLs" ));
add( new printNamedObjects("definitions of named objects"));
add( new printObjectGroups("definitions of object groups"));
add( new printNamedObjectsForNAT(
"definitions of named objects", named_objects_manager));
add( new printObjectGroups(
"definitions of object groups", named_objects_manager));
add( new PrintRule("generate PIX code" ));
add( new storeProcessedRules ("store processed rules" ));
add( new simplePrintProgress ());

4
src/cisco_lib/NATCompiler_asa8_writers.cpp
View File

@ -105,7 +105,7 @@ QString NATCompiler_asa8::PrintRule::printSingleObject(FWObject *obj)
if (Address::cast(obj) && Address::cast(obj)->isAny()) return "any";
NamedObject* asa8_object = NamedObjectManager::getNamedObject(obj);
NamedObject* asa8_object = pix_comp->named_objects_manager->getNamedObject(obj);
if (asa8_object) return asa8_object->getCommandWord();
for (FWObject::iterator i=CreateObjectGroups::object_groups->begin();
@ -125,7 +125,7 @@ QString NATCompiler_asa8::PrintRule::printSingleObject(FWObject *obj)
void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule)
{
NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
//NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
FWOptions *ropt = rule->getOptionsObject();

9
src/cisco_lib/NATCompiler_pix.h
View File

@ -29,6 +29,7 @@
#include "fwcompiler/NATCompiler.h"
#include "Helper.h"
#include "NamedObjectsAndGroupsSupport.h"
#include <map>
#include <deque>
@ -83,6 +84,7 @@ namespace fwcompiler {
public:
Helper helper;
NamedObjectManager *named_objects_manager;
int global_pool_no;
std::map<int,NATCmd*> nat_commands;
@ -539,7 +541,12 @@ namespace fwcompiler {
void setACLFlag(const std::string& acl_name, int f) {
nat_acl_names[acl_name] = f;
}
};
void setNamedObjectManager(NamedObjectManager *mgr)
{
named_objects_manager = mgr;
}
};
}

31
src/cisco_lib/NamedObject.cpp
View File

@ -29,6 +29,7 @@
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/Network.h"
@ -253,7 +254,8 @@ QString NamedObject::sanitizeObjectName(const QString &name)
return qs;
}
QString NamedObject::createNetworkObjectCommand(const Address *addr_obj)
QString NamedObject::createNetworkObjectCommand(const Address *addr_obj,
const Firewall*)
{
if (addr_obj == NULL) return "";
if (addr_obj->isAny()) return "";
@ -314,7 +316,8 @@ QString NamedObject::printPorts(int rs, int re)
return res.join(" ");
}
QString NamedObject::createServiceObjectCommand(const Service *serv_obj)
QString NamedObject::createServiceObjectCommand(const Service *serv_obj,
const Firewall *fw)
{
if (serv_obj == NULL) return "";
if (serv_obj->isAny()) return "";
@ -327,10 +330,12 @@ QString NamedObject::createServiceObjectCommand(const Service *serv_obj)
QStringList service_line;
service_line << " service" << proto_name;
service_line << " service";
if (TCPService::isA(serv_obj) || UDPService::isA(serv_obj))
{
service_line << proto_name;
int rs = TCPUDPService::constcast(serv_obj)->getSrcRangeStart();
int re = TCPUDPService::constcast(serv_obj)->getSrcRangeEnd();
if (rs != 0 || re != 0)
@ -346,9 +351,17 @@ QString NamedObject::createServiceObjectCommand(const Service *serv_obj)
}
}
if (ICMPService::isA(serv_obj) && serv_obj->getInt("type")!=-1)
if (ICMPService::isA(serv_obj))
{
service_line << QString::number(serv_obj->getInt("type"));
service_line << proto_name;
if (serv_obj->getInt("type")!=-1)
service_line << QString::number(serv_obj->getInt("type"));
}
if (CustomService::isA(serv_obj))
{
service_line << CustomService::constcast(serv_obj)->getCodeForPlatform(
fw->getStr("platform")).c_str();
}
res << service_line.join(" ");
@ -358,18 +371,18 @@ QString NamedObject::createServiceObjectCommand(const Service *serv_obj)
}
QString NamedObject::getCommand()
QString NamedObject::getCommand(const Firewall *fw)
{
if (Address::constcast(obj)!=NULL)
return createNetworkObjectCommand(Address::constcast(obj));
return createNetworkObjectCommand(Address::constcast(obj), fw);
if (Service::constcast(obj)!=NULL)
return createServiceObjectCommand(Service::constcast(obj));
return createServiceObjectCommand(Service::constcast(obj), fw);
return "";
}
QString NamedObject::getCommandWhenObjectGroupMember()
QString NamedObject::getCommandWhenObjectGroupMember(const Firewall*)
{
if (Address::constcast(obj)!=NULL) return "network-object object " + name;
if (Service::constcast(obj)!=NULL) return "service-object object " + name;

12
src/cisco_lib/NamedObject.h
View File

@ -25,6 +25,7 @@
#define _ASA8_OBJECT_HH
#include "fwbuilder/FWObject.h"
#include "fwbuilder/Firewall.h"
#include <QString>
#include <QSet>
@ -42,14 +43,17 @@ namespace fwcompiler {
protected:
QString sanitizeObjectName(const QString &name);
QString createNetworkObjectCommand(const libfwbuilder::Address *addr);
QString createServiceObjectCommand(const libfwbuilder::Service *addr);
QString createNetworkObjectCommand(const libfwbuilder::Address *addr,
const libfwbuilder::Firewall *fw);
QString createServiceObjectCommand(const libfwbuilder::Service *addr,
const libfwbuilder::Firewall *fw);
public:
NamedObject(const libfwbuilder::FWObject *obj);
virtual QString getCommand();
virtual QString getCommandWhenObjectGroupMember();
virtual QString getCommand(const libfwbuilder::Firewall *fw);
virtual QString getCommandWhenObjectGroupMember(
const libfwbuilder::Firewall *fw);
QString getName() { return name; }
QString getCommandWord();
};

148
src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
View File

@ -34,6 +34,7 @@
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
@ -59,9 +60,24 @@ using namespace std;
Group* CreateObjectGroups::object_groups = NULL;
map<int, NamedObject*> CreateObjectGroups::named_objects;
map<int, NamedObject*> NamedObjectManager::named_objects;
NamedObjectManager::NamedObjectManager(const libfwbuilder::Firewall *_fw)
{
fw = _fw;
}
NamedObjectManager::~NamedObjectManager()
{
std::map<int, NamedObject*>::iterator it1;
for (it1=named_objects.begin(); it1!=named_objects.end(); ++it1)
{
delete it1->second;
}
named_objects.clear();
}
string NamedObjectManager::addNamedObject(const FWObject *obj)
{
string res;
@ -73,18 +89,18 @@ string NamedObjectManager::addNamedObject(const FWObject *obj)
}
return res;
}
if (CreateObjectGroups::named_objects[obj->getId()] == NULL)
if (named_objects[obj->getId()] == NULL)
{
NamedObject *asa8obj = new NamedObject(obj);
res = asa8obj->getCommand().toStdString();
CreateObjectGroups::named_objects[obj->getId()] = asa8obj;
res = asa8obj->getCommand(fw).toStdString();
named_objects[obj->getId()] = asa8obj;
}
return res;
}
NamedObject* NamedObjectManager::getNamedObject(const FWObject *obj)
{
return CreateObjectGroups::named_objects[obj->getId()];
return named_objects[obj->getId()];
}
@ -93,22 +109,11 @@ void CreateObjectGroups::init(FWObjectDatabase *db)
{
object_groups = new Group();
db->add( object_groups );
if (named_objects.size() > 0) clearNamedObjectsRegistry();
}
void CreateObjectGroups::clearNamedObjectsRegistry()
{
std::map<int, NamedObject*>::iterator it1;
for (it1=named_objects.begin(); it1!=named_objects.end(); ++it1)
{
delete it1->second;
}
named_objects.clear();
//if (named_objects.size() > 0) clearNamedObjectsRegistry();
}
CreateObjectGroups::~CreateObjectGroups()
{
clearNamedObjectsRegistry();
}
BaseObjectGroup* CreateObjectGroups::findObjectGroup(RuleElement *re)
@ -151,20 +156,38 @@ BaseObjectGroup* CreateObjectGroups::findObjectGroup(RuleElement *re)
bool CreateObjectGroups::processNext()
{
Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false;
string version = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInterfaceId()));
assert(rule_iface);
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size()==1) // no need to create object-group since there is single object in the rule element
/*
* If rule element holds just one object, then there is no need to create
* object group. However if this one object is CustomService, then we
* should create the group anyway.
*/
if (re->size()==1)
{
tmp_queue.push_back(rule);
return true;
if (XMLTools::version_compare(version, "8.3")>=0)
{
FWObject *obj = FWReference::getObject(re->front());
if (!CustomService::isA(obj))
{
tmp_queue.push_back(rule);
return true;
}
} else
{
tmp_queue.push_back(rule);
return true;
}
}
string version = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
bool supports_mixed_groups =
Resources::platform_res[platform]->getResourceBool(
string("/FWBuilderResources/Target/options/") +
@ -273,7 +296,7 @@ bool printObjectGroups::processNext()
compiler->output << endl;
try
{
compiler->output << og->toString(CreateObjectGroups::named_objects);
compiler->output << og->toString(named_objects_manager);
} catch (FWException &ex)
{
compiler->abort(ex.toString());
@ -283,7 +306,7 @@ bool printObjectGroups::processNext()
return true;
}
void printNamedObjects::printObjectsForRE(RuleElement *re)
void printNamedObjectsCommon::printObjectsForRE(RuleElement *re)
{
if (re->isAny()) return;
@ -291,11 +314,27 @@ void printNamedObjects::printObjectsForRE(RuleElement *re)
{
FWObject *obj = FWReference::getObject(*it);
if (Interface::isA(obj)) continue;
compiler->output << NamedObjectManager::addNamedObject(obj);
compiler->output << named_objects_manager->addNamedObject(obj);
}
}
bool printNamedObjects::processNext()
bool printNamedObjectsForPolicy::haveCustomService(FWObject *grp)
{
for (FWObject::iterator it=grp->begin(); it!=grp->end(); ++it)
{
FWObject *obj = FWReference::getObject(*it);
if (BaseObjectGroup::constcast(obj)!=NULL)
{
if (haveCustomService(obj)) return true;
} else
{
if (CustomService::isA(obj)) return true;
}
}
return false;
}
bool printNamedObjectsForPolicy::processNext()
{
slurp();
if (tmp_queue.size()==0) return false;
@ -304,25 +343,56 @@ bool printNamedObjects::processNext()
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *rule = NATRule::cast( *k );
PolicyRule *policy_rule = PolicyRule::cast( *k );
if (policy_rule)
{
// At this time, we only need object groups in policy rules
// when CustomService object is used in Service
RuleElementOSrc *osrc_re = rule->getOSrc(); assert(osrc_re);
printObjectsForRE(osrc_re);
// RuleElementSrc *src_re = policy_rule->getSrc(); assert(src_re);
// printObjectsForRE(src_re);
// RuleElementDst *dst_re = policy_rule->getDst(); assert(dst_re);
// printObjectsForRE(dst_re);
RuleElementODst *odst_re = rule->getODst(); assert(odst_re);
printObjectsForRE(odst_re);
RuleElementSrv *srv_re = policy_rule->getSrv(); assert(srv_re);
if (haveCustomService(srv_re)) printObjectsForRE(srv_re);
}
}
RuleElementOSrv *osrv_re = rule->getOSrv(); assert(osrv_re);
printObjectsForRE(osrv_re);
return true;
}
RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re);
printObjectsForRE(tsrc_re);
RuleElementTDst *tdst_re = rule->getTDst(); assert(tdst_re);
printObjectsForRE(tdst_re);
bool printNamedObjectsForNAT::processNext()
{
slurp();
if (tmp_queue.size()==0) return false;
RuleElementTSrv *tsrv_re = rule->getTSrv(); assert(tsrv_re);
printObjectsForRE(tsrv_re);
compiler->output << endl;
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *nat_rule = NATRule::cast( *k );
if (nat_rule)
{
RuleElementOSrc *osrc_re = nat_rule->getOSrc(); assert(osrc_re);
printObjectsForRE(osrc_re);
RuleElementODst *odst_re = nat_rule->getODst(); assert(odst_re);
printObjectsForRE(odst_re);
RuleElementOSrv *osrv_re = nat_rule->getOSrv(); assert(osrv_re);
printObjectsForRE(osrv_re);
RuleElementTSrc *tsrc_re = nat_rule->getTSrc(); assert(tsrc_re);
printObjectsForRE(tsrc_re);
RuleElementTDst *tdst_re = nat_rule->getTDst(); assert(tdst_re);
printObjectsForRE(tdst_re);
RuleElementTSrv *tsrv_re = nat_rule->getTSrv(); assert(tsrv_re);
printObjectsForRE(tsrv_re);
}
}

48
src/cisco_lib/NamedObjectsAndGroupsSupport.h
View File

@ -32,6 +32,7 @@
#include "fwbuilder/Group.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwcompiler/RuleProcessor.h"
@ -42,14 +43,18 @@ namespace fwcompiler
class NamedObjectManager
{
public:
static std::string addNamedObject(const libfwbuilder::FWObject *obj);
static NamedObject* getNamedObject(const libfwbuilder::FWObject *obj);
static std::map<int, NamedObject*> named_objects;
const libfwbuilder::Firewall *fw;
NamedObjectManager(const libfwbuilder::Firewall *_fw);
virtual ~NamedObjectManager();
std::string addNamedObject(const libfwbuilder::FWObject *obj);
NamedObject* getNamedObject(const libfwbuilder::FWObject *obj);
};
class CreateObjectGroups : public BasicRuleProcessor
{
static void clearNamedObjectsRegistry();
protected:
std::string re_type;
@ -63,7 +68,6 @@ protected:
public:
// storage for object groups created to be used with PIX command object-group
static libfwbuilder::Group *object_groups;
static std::map<int, NamedObject*> named_objects;
CreateObjectGroups(const std::string &name,
@ -148,21 +152,45 @@ public:
*/
class printObjectGroups : public BasicRuleProcessor
{
NamedObjectManager *named_objects_manager;
public:
printObjectGroups(const std::string &n) : BasicRuleProcessor(n) {}
printObjectGroups(const std::string &n,
NamedObjectManager *_m) : BasicRuleProcessor(n)
{
named_objects_manager = _m;
}
virtual bool processNext();
};
class printNamedObjects : public BasicRuleProcessor
class printNamedObjectsCommon : public BasicRuleProcessor
{
protected:
void printObjectsForRE(libfwbuilder::RuleElement *re);
NamedObjectManager *named_objects_manager;
public:
printNamedObjects(const std::string &n) : BasicRuleProcessor(n) {}
virtual bool processNext();
printNamedObjectsCommon(const std::string &n,
NamedObjectManager *_m) : BasicRuleProcessor(n)
{
named_objects_manager = _m;
}
};
class printNamedObjectsForPolicy : public printNamedObjectsCommon
{
bool haveCustomService(libfwbuilder::FWObject *grp);
public:
printNamedObjectsForPolicy(const std::string &n,
NamedObjectManager *m) : printNamedObjectsCommon(n, m) {}
virtual bool processNext();
};
class printNamedObjectsForNAT : public printNamedObjectsCommon
{
public:
printNamedObjectsForNAT(const std::string &n,
NamedObjectManager *m) : printNamedObjectsCommon(n, m) {}
virtual bool processNext();
};
}

2
src/cisco_lib/PIXObjectGroup.cpp
View File

@ -43,7 +43,7 @@ using namespace std;
const char *PIXObjectGroup::TYPENAME={"PIXObjectGroup"};
string PIXObjectGroup::toString(std::map<int, NamedObject*>&) throw(FWException)
string PIXObjectGroup::toString(NamedObjectManager*) throw(FWException)
{
ostringstream ostr;

2
src/cisco_lib/PIXObjectGroup.h
View File

@ -39,7 +39,7 @@ public:
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string toString(std::map<int, NamedObject*> &named_objects_registry)
virtual std::string toString(NamedObjectManager *named_obj_manager)
throw(libfwbuilder::FWException);
};

8
src/cisco_lib/PolicyCompiler_cisco.h
View File

@ -34,6 +34,7 @@
#include "Helper.h"
#include "ACL.h"
#include "BaseObjectGroup.h"
#include "NamedObjectsAndGroupsSupport.h"
namespace libfwbuilder {
class IPService;
@ -509,6 +510,7 @@ protected:
protected:
Helper helper;
NamedObjectManager *named_objects_manager;
std::map<std::string,ciscoACL*> acls;
virtual std::string myPlatformName();
@ -536,7 +538,11 @@ public:
* in some kind of 'natural' order. Useful for both IOS and PIX
*/
void regroup();
void setNamedObjectManager(NamedObjectManager *mgr)
{
named_objects_manager = mgr;
}
};

3
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -470,7 +470,8 @@ void PolicyCompiler_iosacl::compile()
add( new createNewCompilerPass("Creating object groups and ACLs"));
add( new printClearCommands("clear commands for object-groups and ACLs"));
add( new printObjectGroups("generate code for object groups"));
add( new printObjectGroups(
"generate code for object groups", named_objects_manager));
// This processor prints each ACL separately in one block.
// It adds comments inside to denote original rules.

2
src/cisco_lib/PolicyCompiler_iosacl_writers.cpp
View File

@ -218,7 +218,7 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
PolicyCompiler_iosacl *iosacl_comp =
dynamic_cast<PolicyCompiler_iosacl*>(compiler);
string platform = compiler->fw->getStr("platform");
FWOptions *ruleopt =rule->getOptionsObject();
//FWOptions *ruleopt =rule->getOptionsObject();
bool write_comments = compiler->fw->getOptionsObject()->getBool(
platform + "_include_comments");

10
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -679,7 +679,15 @@ void PolicyCompiler_pix::compile()
add( new createNewCompilerPass("Creating object groups and ACLs ..."));
add( new printClearCommands("Clear ACLs and object groups"));
add( new printObjectGroups("generate code for object groups"));
if (XMLTools::version_compare(vers, "8.3")>=0)
{
add( new printNamedObjectsForPolicy(
"definitions of named objects", named_objects_manager));
}
add( new printObjectGroups(
"generate code for object groups", named_objects_manager));
add( new PrintRule("generate code for ACLs"));
add( new simplePrintProgress());

1
src/cisco_lib/RoutingCompiler_cisco.cpp
View File

@ -15,6 +15,7 @@
*/
#include "RoutingCompiler_cisco.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"

10
src/cisco_lib/RoutingCompiler_cisco.h
View File

@ -23,6 +23,7 @@
#include "fwbuilder/RuleElement.h"
#include "config.h"
#include "NamedObjectsAndGroupsSupport.h"
namespace libfwbuilder {
class RuleElementRDst;
@ -38,6 +39,8 @@ namespace fwcompiler
protected:
NamedObjectManager *named_objects_manager;
/**
* prints rule in some universal format (close to that visible
* to user in the GUI). Used for debugging purposes. This method
@ -120,7 +123,12 @@ namespace fwcompiler
virtual int prolog();
virtual void compile();
};
void setNamedObjectManager(NamedObjectManager *mgr)
{
named_objects_manager = mgr;
}
};
}

1
src/cisco_lib/RoutingCompiler_cisco_writers.cpp
View File

@ -15,6 +15,7 @@
*/
#include "RoutingCompiler_cisco.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Routing.h"

6
src/libfwbuilder/src/fwbuilder/CustomService.cpp
View File

@ -179,9 +179,11 @@ void CustomService::setCodeForPlatform(const string& platform,
codes[platform]=code;
}
const string& CustomService::getCodeForPlatform(const string& platform)
const string CustomService::getCodeForPlatform(const string& platform) const
{
return codes[platform];
std::map<std::string,std::string>::const_iterator it = codes.find(platform);
if (it == codes.end()) return "";
return it->second;
}
void CustomService::setProtocol(const string& proto)

2
src/libfwbuilder/src/fwbuilder/CustomService.h
View File

@ -79,7 +79,7 @@ class CustomService : public Service
void setCodeForPlatform(const std::string& platform,
const std::string& code);
const std::string& getCodeForPlatform(const std::string& platform);
const std::string getCodeForPlatform(const std::string& platform) const;
void setProtocol(const std::string& proto);
const std::string& getProtocol();

4
test/iosacl/auto-interface-test.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:53 2011 PST by vadim
! Generated Sun Jan 16 21:28:20 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/c3620.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:53 2011 PST by vadim
! Generated Sun Jan 16 21:28:20 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/ccie4u-r1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:53 2011 PST by vadim
! Generated Sun Jan 16 21:28:20 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/dynamips1-og.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:54 2011 PST by vadim
! Generated Sun Jan 16 21:28:21 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

4
test/iosacl/firewall-ipv6-1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:54 2011 PST by vadim
! Generated Sun Jan 16 21:28:21 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/firewall-ipv6-2.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:55 2011 PST by vadim
! Generated Sun Jan 16 21:28:21 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/firewall-ipv6-3.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:55 2011 PST by vadim
! Generated Sun Jan 16 21:28:22 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios1-1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:56 2011 PST by vadim
! Generated Sun Jan 16 21:28:22 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:55 2011 PST by vadim
! Generated Sun Jan 16 21:28:22 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios2.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:56 2011 PST by vadim
! Generated Sun Jan 16 21:28:23 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios20-v12.3.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:57 2011 PST by vadim
! Generated Sun Jan 16 21:28:23 2011 PST by vadim
!
! Compiled for iosacl 12.3
!

4
test/iosacl/testios20.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:56 2011 PST by vadim
! Generated Sun Jan 16 21:28:23 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

4
test/iosacl/testios3.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:57 2011 PST by vadim
! Generated Sun Jan 16 21:28:24 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios4.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:57 2011 PST by vadim
! Generated Sun Jan 16 21:28:24 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

4
test/iosacl/testios5-1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:58 2011 PST by vadim
! Generated Sun Jan 16 21:28:25 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

4
test/iosacl/testios5.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3434
! Firewall Builder fwb_iosacl v4.2.0.3435
!
! Generated Sun Jan 16 16:41:57 2011 PST by vadim
! Generated Sun Jan 16 21:28:24 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

2
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:12 2011 PST by vadim
! Generated Sun Jan 16 22:59:33 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:12 2011 PST by vadim
! Generated Sun Jan 16 22:59:33 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:12 2011 PST by vadim
! Generated Sun Jan 16 22:59:32 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:12 2011 PST by vadim
! Generated Sun Jan 16 22:59:33 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:47 2011 PST by vadim
! Generated Sun Jan 16 22:59:07 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:48 2011 PST by vadim
! Generated Sun Jan 16 22:59:08 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

2
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:49 2011 PST by vadim
! Generated Sun Jan 16 22:59:09 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:50 2011 PST by vadim
! Generated Sun Jan 16 22:59:10 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:50 2011 PST by vadim
! Generated Sun Jan 16 22:59:10 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:51 2011 PST by vadim
! Generated Sun Jan 16 22:59:11 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:52 2011 PST by vadim
! Generated Sun Jan 16 22:59:12 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:52 2011 PST by vadim
! Generated Sun Jan 16 22:59:12 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:53 2011 PST by vadim
! Generated Sun Jan 16 22:59:13 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:54 2011 PST by vadim
! Generated Sun Jan 16 22:59:15 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:54 2011 PST by vadim
! Generated Sun Jan 16 22:59:14 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:55 2011 PST by vadim
! Generated Sun Jan 16 22:59:15 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:56 2011 PST by vadim
! Generated Sun Jan 16 22:59:16 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:57 2011 PST by vadim
! Generated Sun Jan 16 22:59:17 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:58 2011 PST by vadim
! Generated Sun Jan 16 22:59:18 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:58 2011 PST by vadim
! Generated Sun Jan 16 22:59:19 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:17:59 2011 PST by vadim
! Generated Sun Jan 16 22:59:20 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:00 2011 PST by vadim
! Generated Sun Jan 16 22:59:20 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:01 2011 PST by vadim
! Generated Sun Jan 16 22:59:21 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

17
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:02 2011 PST by vadim
! Generated Sun Jan 16 22:59:22 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported
@ -15,7 +15,7 @@
!
! testing rules with broadcasts
! C firewall80:Policy:: error: ASA8ObjectGroup: Unsupported object 'custom serv 1' found in object group
!
! Prolog script:
@ -123,6 +123,7 @@ object-group service inside.id21447X11252.srv.1
service-object tcp eq 3128
exit
!
! Rule 0 (FastEthernet1)
ssh 0.0.0.0 0.0.0.0 inside
@ -171,6 +172,18 @@ access-list inside_acl_in permit 192.168.1.0 255.255.255.192 host 192.168.1.1 o
access-list inside_acl_in permit 192.168.1.0 255.255.255.192 any object-group inside.id21447X11252.srv.1
!
! Rule 9 (global)
! for #1942
! using custom service
access-list outside_acl_in deny any any host 192.168.1.10
access-list inside_acl_in deny any any host 192.168.1.10
!
! Rule 10 (global)
! for #1942
! using custom service
access-list outside_acl_in deny any host 192.168.1.10 object-group outside.id79024X21575.srv.0
access-list inside_acl_in deny any host 192.168.1.10 object-group outside.id79024X21575.srv.0
!
! Rule 11 (global)
access-list outside_acl_in deny ip any any
access-list inside_acl_in deny ip any any

32
test/pix/firewall81.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:02 2011 PST by vadim
! Generated Sun Jan 16 22:59:23 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -95,11 +95,29 @@ clear config object-group
clear config icmp
clear config telnet
object service custom_serv_1
service resetinbound interface outside
quit
object service squid
service tcp destination eq 3128
quit
object-group service inside.id86733X27607.srv.0
service-object icmp
service-object tcp range 0 65535
exit
object-group service inside.id127389X26962.srv.0
service-object object custom_serv_1
exit
object-group service inside.id127342X26962.srv.0
service-object object custom_serv_1
service-object object squid
exit
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp
@ -125,6 +143,18 @@ access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80
access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
!
! Rule 4 (global)
! for #1942
! using custom service
access-list inside_acl_in deny any host 192.168.1.10 object-group inside.id127389X26962.srv.0
access-list outside_acl_in deny any host 192.168.1.10 object-group inside.id127389X26962.srv.0
!
! Rule 5 (global)
! for #1942
! using custom service
access-list inside_acl_in deny any host 192.168.1.10 object-group inside.id127342X26962.srv.0
access-list outside_acl_in deny any host 192.168.1.10 object-group inside.id127342X26962.srv.0
!
! Rule 6 (global)
access-list inside_acl_in deny ip any any
access-list outside_acl_in deny ip any any

3
test/pix/firewall82.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:03 2011 PST by vadim
! Generated Sun Jan 16 22:59:23 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -95,6 +95,7 @@ clear config object-group
clear config icmp
clear config telnet
object-group service inside.id923611X27607.srv.0
service-object icmp
service-object tcp range 0 65535

3
test/pix/firewall83.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:04 2011 PST by vadim
! Generated Sun Jan 16 22:59:24 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -93,6 +93,7 @@ clear config object-group
clear config icmp
clear config telnet
object-group service inside.id923813X27607.srv.0
service-object icmp
service-object tcp range 0 65535

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:04 2011 PST by vadim
! Generated Sun Jan 16 22:59:25 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

17
test/pix/firewall90.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:05 2011 PST by vadim
! Generated Sun Jan 16 22:59:25 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -94,6 +94,7 @@ clear config object-group
clear config icmp
clear config telnet
object-group network outside.id78630X30274.src.net.0
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0
@ -169,6 +170,9 @@ quit
object service smtps
service tcp destination eq 465
quit
object service custom_serv_1
service resetinbound interface outside
quit
object-group network outside.id178211X29963.osrc.net.0
network-object object internal_subnet_1
@ -234,6 +238,11 @@ object-group network outside.id77971X5929.tsrc.net.1
network-object object external_gw2
exit
object-group service outside.id127056X21575.osrv.0
service-object object custom_serv_1
exit
!
! Rule 0 (NAT)
nat (inside,outside) source dynamic Internal_net interface service http http description "0 (NAT)"
@ -338,6 +347,12 @@ nat (outside,inside) source static any any destination static interface hostA:et
! multiple objects in OSrc, ODst, OSrv and TSrc in various combinations
nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.0 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtp smtp description "23 (NAT)"
nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.1 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtps smtps description "23 (NAT)"
!
! Rule 24 (NAT)
! for #1942
! using custom service
! note that the rule makese no sense at all
nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 service outside.id127056X21575.osrv.0 custom_serv_1 description "24 (NAT)"

3
test/pix/firewall91.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:06 2011 PST by vadim
! Generated Sun Jan 16 22:59:26 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -97,6 +97,7 @@ clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
access-list inside_acl_in deny ip any any

3
test/pix/firewall92.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:06 2011 PST by vadim
! Generated Sun Jan 16 22:59:27 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -92,6 +92,7 @@ clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
access-list inside_acl_in deny ip any any

2
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:07 2011 PST by vadim
! Generated Sun Jan 16 22:59:28 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

2
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:08 2011 PST by vadim
! Generated Sun Jan 16 22:59:29 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported

132
test/pix/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1294970408" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1295243227" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -1353,12 +1353,23 @@
<ServiceGroup id="stdid08_1" name="UDP" comment="" ro="False">
<UDPService id="id19120X1497" name="src_udp_ports" comment="" ro="False" src_range_start="10000" src_range_end="10010" dst_range_start="0" dst_range_end="0"/>
</ServiceGroup>
<ServiceGroup id="stdid13_1" name="Custom_Services" comment="" ro="False">
<ServiceGroup id="stdid13_1" name="Custom" comment="" ro="False">
<CustomService id="id3B64FE22" name="talk" comment="Talk support" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
</CustomService>
<CustomService id="id21571X21575" name="custom serv 1" comment="" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix">resetinbound interface outside</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False"/>
</ServiceGroup>
@ -16996,7 +17007,7 @@ no sysopt nodnsalias outbound
</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295222851" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
<Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295243635" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
<NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -17188,7 +17199,50 @@ no sysopt nodnsalias outbound
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id18920X29796" disabled="False" log="False" position="9" action="Deny" direction="Both" comment="">
<PolicyRule id="id21584X21575" disabled="False" group="" log="False" position="9" action="Deny" direction="Both" comment="for #1942&#10;using custom service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id21571X21575"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79024X21575" disabled="False" group="" log="False" position="10" action="Deny" direction="Both" comment="for #1942&#10;using custom service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id21571X21575"/>
<ServiceRef ref="id3B5009F7"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id18920X29796" disabled="False" log="False" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -17385,7 +17439,7 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id86621X27607" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294348905" platform="pix" version="8.3" name="firewall81" comment="test for the warning issued when translated address is used in&#10;policy rule&#10;" ro="False">
<Firewall id="id86621X27607" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295245802" platform="pix" version="8.3" name="firewall81" comment="test for the warning issued when translated address is used in&#10;policy rule&#10;" ro="False">
<NAT id="id86771X27607" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id138353X27607" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -17492,7 +17546,50 @@ no sysopt nodnsalias outbound
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id86758X27607" disabled="False" log="False" position="4" action="Deny" direction="Both" comment="">
<PolicyRule id="id127389X26962" disabled="False" group="" log="False" position="4" action="Deny" direction="Both" comment="for #1942&#10;using custom service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id21571X21575"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id127342X26962" disabled="False" group="" log="False" position="5" action="Deny" direction="Both" comment="for #1942&#10;using custom service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id21571X21575"/>
<ServiceRef ref="id3B5009F7"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id86758X27607" disabled="False" log="False" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -18297,7 +18394,7 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294970497" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
<Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295243536" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
<NAT id="id19920X26146" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id19921X26146" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -18888,6 +18985,27 @@ no sysopt nodnsalias outbound
<Option name="color">#C0C0C0</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id127056X21575" disabled="False" group="" position="24" action="Translate" comment="for #1942&#10;using custom service&#10;note that the rule makese no sense at all">
<OSrc neg="False">
<ObjectRef ref="id178241X29963"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id21571X21575"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id20049X29963"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id19857X26146" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">

2
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:09 2011 PST by vadim
! Generated Sun Jan 16 22:59:30 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3435
!
! Generated Sun Jan 16 20:18:10 2011 PST by vadim
! Generated Sun Jan 16 22:59:31 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/procurve_acl/testhp1.fw.orig
View File

@ -1,9 +1,9 @@
;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v4.2.0.3426
; Firewall Builder fwb_procurve_acl v4.2.0.3435
;
; Generated Mon Jan 10 16:37:03 2011 PST by vadim
; Generated Sun Jan 16 23:00:19 2011 PST by vadim
;
; Compiled for procurve_acl K.13
;

4
test/procurve_acl/testhp2.fw.orig
View File

@ -1,9 +1,9 @@
;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v4.2.0.3426
; Firewall Builder fwb_procurve_acl v4.2.0.3435
;
; Generated Mon Jan 10 16:37:03 2011 PST by vadim
; Generated Sun Jan 16 23:00:20 2011 PST by vadim
;
; Compiled for procurve_acl K.13
;

4
test/procurve_acl/testhp3.fw.orig
View File

@ -1,9 +1,9 @@
;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v4.2.0.3426
; Firewall Builder fwb_procurve_acl v4.2.0.3435
;
; Generated Mon Jan 10 16:37:04 2011 PST by vadim
; Generated Sun Jan 16 23:00:20 2011 PST by vadim
;
; Compiled for procurve_acl K.13
;

4
test/procurve_acl/testhp4.fw.orig
View File

@ -1,9 +1,9 @@
;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v4.2.0.3426
; Firewall Builder fwb_procurve_acl v4.2.0.3435
;
; Generated Mon Jan 10 16:37:04 2011 PST by vadim
; Generated Sun Jan 16 23:00:21 2011 PST by vadim
;
; Compiled for procurve_acl K.13
;