diff --git a/doc/ChangeLog b/doc/ChangeLog index f624ebe3b..b9fc2f82b 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,12 @@ +2011-01-19 Vadim Kurland + + * PolicyCompiler_pix_writers.cpp: see #1960 add support for + CustomService for PIX policy rules. Note that CustomService + objects are only supported in Policy rules since nat commands in + ASA 8.3 require use of named objects and it is difficult to + implement correct named objects and object-groups with protocol + parameter and custom services. + 2011-01-18 Vadim Kurland * PIXObjectGroup.cpp: ASA 8.3 see #1942, #1943 fixed generation of @@ -17,7 +26,9 @@ support for CustomService objects for ASA 8.3. Generate separate named object and object-group for these objects, then split policy and nat rules so that only one custom service object is left in - each rule and then use object-group to match it. + each rule and then use object-group to match it. Note: this has + been rolled back. There is no support for CustomService objects in + NAT rules. * PolicyCompiler_pix.cpp (processNext): fixes #1948 "incorrect configuration created when a CustomService object is used in a @@ -58,6 +69,8 @@ -- see #1946 "restrict generation of the named objects by PolicyCompiler_pix to ASA 8" -- see #1885 "named network and service objects in pix8" + Note: this has been rolled back. There is no support for + CustomService objects in NAT rules. * NATCompiler_pix.cpp (processNext): see #1941 "ASA NAT - compiler complains about range in original destination". NAT rules diff --git a/src/cisco_lib/PolicyCompiler_pix_writers.cpp b/src/cisco_lib/PolicyCompiler_pix_writers.cpp index 53723228c..82c731a5e 100644 --- a/src/cisco_lib/PolicyCompiler_pix_writers.cpp +++ b/src/cisco_lib/PolicyCompiler_pix_writers.cpp @@ -246,6 +246,10 @@ string PolicyCompiler_pix::PrintRule::_printDstService(Service *srv) if (ICMPService::isA(srv) && srv->getInt("type")!=-1) str << srv->getStr("type") << " "; + if (CustomService::isA(srv)) + str << CustomService::cast(srv)->getCodeForPlatform( + compiler->myPlatformName() ) << " "; + const IPService *ip_srv = IPService::constcast(srv); if (ip_srv && ip_srv->hasIpOptions()) compiler->warning("PIX can not match IP options"); diff --git a/src/cisco_lib/specialServices.cpp b/src/cisco_lib/specialServices.cpp index 7030f9df8..219c7305c 100644 --- a/src/cisco_lib/specialServices.cpp +++ b/src/cisco_lib/specialServices.cpp @@ -78,11 +78,11 @@ bool SpecialServices::processNext() } } - if (CustomService::cast(s)!=NULL) + if (CustomService::cast(s)!=NULL && pix_comp==NULL) { compiler->abort( rule, - "CustomService objects are not supported"); + "CustomService objects are not supported in NAT rules"); return true; } diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index d8c437e2f..3c9cdd52d 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -1,6 +1,6 @@ - + @@ -1385,6 +1385,17 @@ + + + + + + + + neq 8080 + + + @@ -17022,7 +17033,7 @@ no sysopt nodnsalias outbound - + @@ -17243,7 +17254,7 @@ no sysopt nodnsalias outbound - + @@ -17264,8 +17275,8 @@ no sysopt nodnsalias outbound - +