see #1960 add support for CustomService for PIX policy rules

doc/ChangeLog

@@ -1,3 +1,12 @@
+2011-01-19  Vadim Kurland  <vadim@netcitadel.com>
+
+	* PolicyCompiler_pix_writers.cpp: see #1960 add support for
+	CustomService for PIX policy rules. Note that CustomService
+	objects are only supported in Policy rules since nat commands in
+	ASA 8.3 require use of named objects and it is difficult to
+	implement correct named objects and object-groups with protocol
+	parameter and custom services.
+
 2011-01-18  Vadim Kurland  <vadim@netcitadel.com>
 
 	* PIXObjectGroup.cpp: ASA 8.3 see #1942, #1943 fixed generation of
@@ -17,7 +26,9 @@
 	support for CustomService objects for ASA 8.3. Generate separate
 	named object and object-group for these objects, then split policy
 	and nat rules so that only one custom service object is left in
-	each rule and then use object-group to match it.
+	each rule and then use object-group to match it. Note: this has
+	been rolled back. There is no support for CustomService objects in
+	NAT rules.
 
 	* PolicyCompiler_pix.cpp (processNext): fixes #1948 "incorrect
 	configuration created when a CustomService object is used in a
@@ -58,6 +69,8 @@
 	 -- see #1946 "restrict generation of the named objects by
 	PolicyCompiler_pix to ASA 8"
 	 -- see #1885 "named network and service objects in pix8"
+	Note: this has been rolled back. There is no support for
+	CustomService objects in NAT rules.
 
 	* NATCompiler_pix.cpp (processNext): see #1941 "ASA NAT - compiler
 	complains about range in original destination". NAT rules

src/cisco_lib/PolicyCompiler_pix_writers.cpp

@@ -246,6 +246,10 @@ string PolicyCompiler_pix::PrintRule::_printDstService(Service *srv)
     if (ICMPService::isA(srv) && srv->getInt("type")!=-1)
 	    str << srv->getStr("type") << " ";
 
+    if (CustomService::isA(srv)) 
+	str << CustomService::cast(srv)->getCodeForPlatform(
+            compiler->myPlatformName() ) << " ";
+
     const IPService *ip_srv = IPService::constcast(srv);
     if (ip_srv && ip_srv->hasIpOptions())
         compiler->warning("PIX can not match IP options");

src/cisco_lib/specialServices.cpp

@@ -78,11 +78,11 @@ bool SpecialServices::processNext()
         }
     }
 
-    if (CustomService::cast(s)!=NULL)
+    if (CustomService::cast(s)!=NULL && pix_comp==NULL)
     {
         compiler->abort(
             rule, 
-            "CustomService objects are not supported");
+            "CustomService objects are not supported in NAT rules");
         return true;
     }
 

test/pix/objects-for-regression-tests.fwb

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1295315379" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1295466874" id="root">
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
     <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
     <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@@ -1385,6 +1385,17 @@
           <CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
           <CustomServiceCommand platform="unknown"></CustomServiceCommand>
         </CustomService>
+        <CustomService id="id80355X18586" name="custom serv 2" comment="" ro="False" protocol="tcp" address_family="ipv4">
+          <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
+          <CustomServiceCommand platform="iosacl"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+          <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
+          <CustomServiceCommand platform="iptables"></CustomServiceCommand>
+          <CustomServiceCommand platform="pf"></CustomServiceCommand>
+          <CustomServiceCommand platform="pix">neq 8080</CustomServiceCommand>
+          <CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
+          <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+        </CustomService>
       </ServiceGroup>
       <ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False"/>
     </ServiceGroup>
@@ -17022,7 +17033,7 @@ no sysopt nodnsalias outbound
         </Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295404811" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
+      <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295466889" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
         <NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id70310X19497" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -17243,7 +17254,7 @@ no sysopt nodnsalias outbound
               <ObjectRef ref="host-hostA"/>
             </Dst>
             <Srv neg="False">
-              <ServiceRef ref="id21571X21575"/>
+              <ServiceRef ref="id80355X18586"/>
             </Srv>
             <Itf neg="False">
               <ObjectRef ref="sysid0"/>
@@ -17264,8 +17275,8 @@ no sysopt nodnsalias outbound
               <ObjectRef ref="host-hostA"/>
             </Dst>
             <Srv neg="False">
-              <ServiceRef ref="id21571X21575"/>
               <ServiceRef ref="id3B5009F7"/>
+              <ServiceRef ref="id80355X18586"/>
             </Srv>
             <Itf neg="False">
               <ObjectRef ref="sysid0"/>