onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 18:27:16 +01:00
Code Issues Releases Wiki Activity

see #2098 support for interfaces in PIX/ASA NAT rules; see #153 deprecating Rule::getInterfaceStr()

Browse Source
This commit is contained in:
Vadim Kurland 2011-02-19 19:13:01 -08:00
parent ccbe413c22
commit 4136d63957
48 changed files with 3554 additions and 2977 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/ChangeLog
View File

@ -1,5 +1,15 @@
2011-02-19 vadim <vadim@netcitadel.com>
* NATCompiler_pix.cpp (processNext): see #2098 Added support for
user-configurable inbound and outbound interfaces in Cisco PIX/ASA
NAT rules. Two new columns appear in the rule set view: "Inbound
Interface" and "Outbound Interface". If user leaves one or both
columns blank, the GUI shows "Auto" in there and policy compiler
picks corresponding interface automatically. Leaving both columns
blank ("Auto") triggers backwards-compatible automatic behavior
where both interfaces are picked automatically. Multiple interface
objects and groups of interfaces are allowed in these columns.
* ClusterInterfaceWidget.cpp (getInterfaceData): fixes #2117 "CARP
interfaces in cluster that use VLAN interaces have no interface
set to MASTER". When PF cluster configuration was built using vlan

15
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -269,21 +269,6 @@ bool NATCompiler_asa8::VerifyRules::processNext()
bool NATCompiler_asa8::verifyInterfacesInNatRule::processNext()
{
NATRule *rule = getNext(); if (rule==NULL) return false;
Interface *o_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInt("nat_iface_orig")));
Interface *t_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInt("nat_iface_trn")));
if (o_iface->getId() == t_iface->getId())
{
QString err("Objects used in Original Source and Translated Source "
"of the rule dictate that the same interface '%1' is going "
"to be used as real and mapped interface in the generated "
"nat command.");
compiler->warning(rule, err.arg(o_iface->getLabel().c_str()).toStdString());
}
tmp_queue.push_back(rule);
return true;
}

15
src/cisco_lib/NATCompiler_asa8_writers.cpp
View File

@ -116,14 +116,17 @@ void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule)
Address *tdst = compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv);
Interface *o_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInt("nat_iface_orig")));
Interface *t_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInt("nat_iface_trn")));
RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL);
RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL);
Interface *i_iface = Interface::cast(
FWObjectReference::getObject(itf_in_re->front()));
Interface *o_iface = Interface::cast(
FWObjectReference::getObject(itf_out_re->front()));
cmd << QString("nat (%1,%2)")
.arg(o_iface->getLabel().c_str())
.arg(t_iface->getLabel().c_str());
.arg(i_iface->getLabel().c_str())
.arg(o_iface->getLabel().c_str());
cmd << "source";

737
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -96,6 +96,16 @@ NATCompiler_pix::~NATCompiler_pix()
}
bool StaticCmd::operator==(const StaticCmd &other)
{
return (*oaddr == *(other.oaddr) &&
*iaddr == *(other.iaddr) &&
*osrv == *(other.osrv) &&
*tsrv == *(other.tsrv) &&
i_iface->getId() == other.i_iface->getId() &&
o_iface->getId() == other.o_iface->getId());
}
/*
* Do not expand interfaces in ODst and TSrc
*
@ -230,10 +240,8 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
{
NATRule *rule=NATRule::cast(r);
FWObject *iface1 = dbcopy->findInIndex( rule->getInt("nat_iface_orig") );
FWObject *iface2 = dbcopy->findInIndex( rule->getInt("nat_iface_trn") );
string iface1_name=(iface1!=NULL)?iface1->getName():"";
string iface2_name=(iface2!=NULL)?iface2->getName():"";
RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL);
RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL);
ostringstream os;
@ -258,9 +266,7 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
os << " o_src=" << _print_addr(natcmd->o_src->getAddressPtr());
os << " o_dst=" << _print_addr(natcmd->o_dst->getAddressPtr());
os << " o_srv=" << natcmd->o_srv->getName();
os << " o_iface=" << natcmd->o_iface->getLabel();
os << " t_addr=" << _print_addr(natcmd->t_addr->getAddressPtr());
os << " t_iface=" << natcmd->t_iface->getLabel();
os << " ignore_global=" << string((natcmd->ignore_global)?"1":"0");
os << " ignore_nat=" << string((natcmd->ignore_nat)?"1":"0");
os << " ignore_nat_and_print_acl="
@ -281,6 +287,7 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
string oaddr_str = _print_addr(scmd->oaddr->getAddressPtr());
os << " StaticCmd:";
os << " ignore=" << scmd->ignore_scmd_and_print_acl;
os << " acl=" << scmd->acl_name;
os << " (" << nat_acl_names[scmd->acl_name] << ")";
os << " iaddr=" << iaddr_str;
@ -294,9 +301,9 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
default: ; // TODO: should actually be always_assert
}
return NATCompiler::debugPrintRule(rule)+
" "+iface1_name+" "+iface2_name+
" (type="+rule->getRuleTypeAsString()+") "+
return NATCompiler::debugPrintRule(rule) +
" " +
" (type=" + rule->getRuleTypeAsString() + ") " +
"use_nat_0_0=" + string((rule->getBool("use_nat_0_0"))?"1":"0") + " " +
os.str();
}
@ -465,6 +472,8 @@ bool NATCompiler_pix::AssignInterface::processNext()
Helper helper(compiler);
NATRule *rule = getNext(); if (rule==NULL) return false;
RuleElement *itf_re;
Address *a1 = NULL;
Address *a2 = NULL;
@ -490,28 +499,42 @@ bool NATCompiler_pix::AssignInterface::processNext()
int org_intf_id = helper.findInterfaceByNetzone(a1);
int trn_intf_id = helper.findInterfaceByNetzone(a2);
rule->setInt("nat_iface_orig", org_intf_id);
rule->setInt("nat_iface_trn", trn_intf_id);
rule->setInterfaceId(trn_intf_id);
if ( rule->getInt("nat_iface_orig")==-1 )
FWObject *iface_org = compiler->dbcopy->findInIndex(org_intf_id);
FWObject *iface_trn = compiler->dbcopy->findInIndex(trn_intf_id);
if ( org_intf_id==-1 )
{
compiler->abort(
rule,
"Object '" + a1->getName() +
"' does not belong to any known network zone.");
QString err("Object '%1' does not belong to any known network zone.");
compiler->abort(rule, err.arg(a1->getName().c_str()).toStdString());
return true;
}
if ( rule->getInt("nat_iface_trn")==-1 )
if ( trn_intf_id==-1 )
{
compiler->abort(
rule,
"Object '" + a2->getName() +
"' does not belong to any known network zone.");
QString err("Object '%1' does not belong to any known network zone.");
compiler->abort(rule, err.arg(a2->getName().c_str()).toStdString());
return true;
}
itf_re = rule->getItfInb(); assert(itf_re!=NULL);
if (itf_re->isAny() && ! itf_re->hasRef(iface_org)) itf_re->addRef(iface_org);
itf_re = rule->getItfOutb(); assert(itf_re!=NULL);
if (itf_re->isAny() && ! itf_re->hasRef(iface_trn)) itf_re->addRef(iface_trn);
if (org_intf_id == trn_intf_id)
{
QString err("Objects used in Original Source and Translated Source "
"of the rule dictate that the same interface '%1' is going "
"to be used as real and mapped interface in the generated "
"nat command.");
compiler->warning(
rule,
err.arg(
Interface::cast(iface_org)->getLabel().c_str()).toStdString());
}
tmp_queue.push_back(rule);
return true;
}
@ -793,8 +816,10 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext()
}
} else
{
Address *odst=compiler->getFirstODst(rule); assert(odst!=NULL);
FWObject *odst_iface=compiler->dbcopy->findInIndex( helper.findInterfaceByNetzone(odst ) );
Address *odst = compiler->getFirstODst(rule); assert(odst!=NULL);
FWObject *odst_iface =
compiler->dbcopy->findInIndex(
helper.findInterfaceByNetzone(odst ) );
if (odst_iface!=NULL) cl.push_back(odst_iface);
}
if ( ! cl.empty() ) {
@ -872,11 +897,12 @@ bool NATCompiler_pix::UseFirewallInterfaces::processNext()
bool NATCompiler_pix::processNONATRules::processNext()
{
Helper helper(compiler);
NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
NATCompiler_pix *pix_comp = dynamic_cast<NATCompiler_pix*>(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if (rule->getRuleType()==NATRule::NONAT) {
if (rule->getRuleType()==NATRule::NONAT)
{
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
@ -897,8 +923,17 @@ bool NATCompiler_pix::processNONATRules::processNext()
{
rule->setInt("nonat_type", NONAT_NAT0);
nonat n0;
n0.i_iface = osrc_iface;
n0.o_iface = odst_iface;
// n0.i_iface = osrc_iface;
// n0.o_iface = odst_iface;
RuleElement *itf_re = rule->getItfInb();
assert(itf_re!=NULL);
if ( ! itf_re->hasRef(osrc_iface)) itf_re->addRef(osrc_iface);
itf_re = rule->getItfOutb();
assert(itf_re!=NULL);
if ( ! itf_re->hasRef(odst_iface)) itf_re->addRef(odst_iface);
n0.src = osrc;
n0.dst = odst;
n0.acl_name = "nat0."+osrc_iface->getLabel();
@ -913,7 +948,20 @@ bool NATCompiler_pix::processNONATRules::processNext()
} else
{
rule->setInt("nonat_type",NONAT_STATIC);
rule->setInt("nonat_type", NONAT_STATIC);
Interface *osrc_iface = Interface::cast(
compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(osrc)));
Interface *odst_iface = Interface::cast(
compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(odst)));
RuleElement *itf_re = rule->getItfInb();
assert(itf_re!=NULL);
if ( ! itf_re->hasRef(osrc_iface)) itf_re->addRef(osrc_iface);
itf_re = rule->getItfOutb();
assert(itf_re!=NULL);
if ( ! itf_re->hasRef(odst_iface)) itf_re->addRef(odst_iface);
}
}
@ -927,12 +975,6 @@ bool NATCompiler_pix::createNATCmd::processNext()
NATRule *rule = getNext(); if (rule==NULL) return false;
string version = compiler->fw->getStr("version");
bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member");
Cluster *cluster = NULL;
if (cluster_member)
cluster = Cluster::cast(
compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id")));
if (rule->getRuleType()==NATRule::SNAT)
{
Address *osrc = compiler->getFirstOSrc(rule); assert(osrc);
@ -940,6 +982,14 @@ bool NATCompiler_pix::createNATCmd::processNext()
Service *osrv = compiler->getFirstOSrv(rule); assert(osrv);
Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc);
RuleElementItfInb *itf_in_re = rule->getItfInb();
RuleElementItfOutb *itf_out_re = rule->getItfOutb();
Interface *i_iface = Interface::cast(
FWObjectReference::getObject(itf_in_re->front()));
Interface *o_iface = Interface::cast(
FWObjectReference::getObject(itf_out_re->front()));
NATCmd *natcmd = new NATCmd();
natcmd->nat_id = nat_id_counter;
@ -948,16 +998,14 @@ bool NATCompiler_pix::createNATCmd::processNext()
natcmd->o_src = osrc;
natcmd->o_dst = odst;
natcmd->o_srv = osrv;
natcmd->o_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInt("nat_iface_orig")));
natcmd->t_addr = tsrc;
natcmd->t_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInt("nat_iface_trn")));
natcmd->i_iface = i_iface; // inbound interface
natcmd->o_iface = o_iface; // outbound interface
natcmd->nat_acl_name = pix_comp->getNATACLname(rule,"");
pix_comp->registerACL(natcmd->nat_acl_name);
if (Interface::cast(tsrc)!=NULL || natcmd->t_iface->isDyn())
if (Interface::cast(tsrc)!=NULL || o_iface->isDyn())
{
natcmd->type = INTERFACE;
} else
@ -978,8 +1026,9 @@ bool NATCompiler_pix::createNATCmd::processNext()
/*
* "nat ... outside" is only supported in PIX 6.2
*/
natcmd->outside =
( natcmd->o_iface->getSecurityLevel() < natcmd->t_iface->getSecurityLevel());
( i_iface->getSecurityLevel() < o_iface->getSecurityLevel());
if (natcmd->outside && compiler->fw->getStr("platform")=="pix" &&
libfwbuilder::XMLTools::version_compare(version, "6.2")<0 )
@ -1011,13 +1060,21 @@ bool NATCompiler_pix::createStaticCmd::processNext()
if (rule->getRuleType()==NATRule::DNAT)
{
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
Service *osrv=compiler->getFirstOSrv(rule); assert(osrv);
Address *tdst=compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv);
Address *osrc = compiler->getFirstOSrc(rule); assert(osrc);
Address *odst = compiler->getFirstODst(rule); assert(odst);
Service *osrv = compiler->getFirstOSrv(rule); assert(osrv);
Address *tdst = compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv);
StaticCmd *scmd=new StaticCmd();
RuleElementItfInb *itf_in_re = rule->getItfInb();
RuleElementItfOutb *itf_out_re = rule->getItfOutb();
Interface *i_iface = Interface::cast(
FWObjectReference::getObject(itf_in_re->front()));
Interface *o_iface = Interface::cast(
FWObjectReference::getObject(itf_out_re->front()));
StaticCmd *scmd = new StaticCmd();
scmd->acl_name = pix_comp->getNATACLname(rule,"");
pix_comp->registerACL(scmd->acl_name);
@ -1030,6 +1087,8 @@ bool NATCompiler_pix::createStaticCmd::processNext()
scmd->osrv= osrv;
scmd->tsrv= tsrv;
scmd->ignore_scmd_and_print_acl=false;
scmd->i_iface = i_iface;
scmd->o_iface = o_iface;
pix_comp->static_commands[sc_id_counter]=scmd;
rule->setInt("sc_cmd",sc_id_counter);
@ -1041,246 +1100,6 @@ bool NATCompiler_pix::createStaticCmd::processNext()
}
/*
* this processor uses slurp to make sure all previous processors ran before
* it starts scanning rules.
*/
bool NATCompiler_pix::mergeNATCmd::processNext()
{
NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
slurp();
if (tmp_queue.size()==0) return false;
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *rule = NATRule::cast( *k );
if (rule->getRuleType() == NATRule::DNAT)
{
StaticCmd *scmd = pix_comp->static_commands[rule->getInt("sc_cmd")];
map<int,StaticCmd*>::iterator i1;
for (i1=pix_comp->static_commands.begin();
i1!=pix_comp->static_commands.end(); ++i1)
{
StaticCmd *sc = (*i1).second;
if (scmd==sc) break;
if (*(scmd->oaddr) == *(sc->oaddr) &&
*(scmd->iaddr) == *(sc->iaddr) &&
*(scmd->osrv) == *(sc->osrv) &&
*(scmd->tsrv) == *(sc->tsrv))
{
/* rule 'sc' is above rule 'scmd', we need to print 'static' command
* only in the last rule using the same access list. That's why we set
* flag ignore_scmd_and_print acl in sc and not in scmd
*/
scmd->acl_name = sc->acl_name;
sc->ignore_scmd_and_print_acl=true;
}
}
}
if (rule->getRuleType()==NATRule::SNAT)
{
NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ];
map<int,NATCmd*>::iterator i1;
for (i1 = pix_comp->nat_commands.begin();
i1 != pix_comp->nat_commands.end(); ++i1)
{
NATCmd *nc = (*i1).second;
/* since map nat_commands is sorted by the key, we only have to scan it
* until we hit natcmd
*/
if (natcmd==nc) break;
const InetAddr *a1 = natcmd->t_addr->getAddressPtr();
const InetAddr *a2 = nc->t_addr->getAddressPtr();
Interface *int1 = natcmd->t_iface;
Interface *int2 = nc->t_iface;
if ((natcmd->t_addr == nc->t_addr ||
(a1 && a2 && *a1 == *a2)) &&
int1->getId() == int2->getId() )
{
natcmd->ignore_global = true;
natcmd->nat_id = nc->nat_id;
}
}
for (map<int,NATCmd*>::iterator i1=pix_comp->nat_commands.begin();
i1!=pix_comp->nat_commands.end(); ++i1)
{
NATCmd *nc = (*i1).second;
/* since map nat_commands is sorted by the key, we only have to scan it
* until we hit natcmd
*/
if (natcmd == nc) break;
if (nc->ignore_nat) continue;
/* using operator==(const Address &o1,const Address &o2) here */
if ( *(natcmd->o_src) == *(nc->o_src) &&
*(natcmd->o_dst) == *(nc->o_dst) &&
*(natcmd->o_srv) == *(nc->o_srv) &&
natcmd->o_iface->getId() == nc->o_iface->getId() )
{
/*
* there is another nat rule (rule #2) with the same "original"
* addresses and the same interface. We can drop this nat rule, but need
* to merge its global pool with pool of the rule #2.
*
* This nat rule could have been sharing a global pool with some other
* nat rule; in this case we need to find this other rule and also
* reassign it to the global pool of the rule #2.
*/
natcmd->ignore_nat = true;
map<int,NATCmd*>::iterator i2;
for (i2 = pix_comp->nat_commands.begin();
i2 != pix_comp->nat_commands.end(); ++i2)
{
NATCmd *nc2 = i2->second;
if (natcmd->nat_id == nc2->nat_id)
nc2->nat_id = nc->nat_id;
}
natcmd->nat_id = nc->nat_id;
}
}
if (!natcmd->use_nat_0_0)
{
map<int,NATCmd*>::iterator i1;
for (i1 = pix_comp->nat_commands.begin();
i1 != pix_comp->nat_commands.end(); ++i1)
{
NATCmd *nc=(*i1).second;
/* since map nat_commands is sorted by the key, we only have to scan it
* until we hit natcmd
*/
if (natcmd==nc) break;
/* ignore nat natcmd entries for rules where we won't print 'nat'
* command or use 'nat 0' command since this means we won't print
* access-list for those rules and hense can not merge lists
*/
if (nc->ignore_nat) continue;
if (nc->use_nat_0_0) continue;
if ( natcmd->nat_id == nc->nat_id &&
natcmd->t_addr == nc->t_addr &&
natcmd->o_iface->getId() == nc->o_iface->getId() )
{
/* two nat commands with the same id, the same interface and the same
* translated address, but different osrc and odst. OSrc and ODst must
* be different, otherwise these two commands would have been merged
* in the previous cycle. We can merge access lists and drop one of
* these nat commands. We merge ACLs by assigning them the same name.
*/
natcmd->nat_acl_name = nc->nat_acl_name;
nc->ignore_nat_and_print_acl = true;
}
}
}
}
}
return true;
}
/*
* The goal of this processor is to find SNAT rules that could be
* translated as "nat (interface) 0.0.0.0 0.0.0.0. These rules should
* have the same network object in OSrc that is used to define
* interface's network zone. The logic is simple: if network "A" is a
* network zone for internal interface, then only packets from this
* network can hit it and therefore there is no need to check source
* address once more in the "nat" rule.
*
* We also check for ODst and OSrv, because if the destination or the
* service are defined, then this optimization can not be done.
*
* This optimization can be turned off using checkbutton in the
* "Firewall" tab.
*
* call this processor really early, when groups have not been
* expanded yet. At this point both NAT rule type and interfaces it
* is associated with are unknown yet. We have to partially repeat
* algorithms used in other rule processors to determine NAT rule type
* and interface.
*
* We do this optimization in two steps:
*
* 1. in this rule processor we replace object in OSrc with firewall's
* interface. This way we can still use other rule processors that
* determine rule type and assign it to interfaces, but rule won't be
* split onto multiple rules because of objects in OSrc. We also set
* boolean flags "clear_osrc" and "use_nat_0_0" on the rule.
*
* 2. further down in rule processor clearOSrc we check the flag and
* clear OSrc if it is set.
*
* 3. flag "use_nat_0_0" is used in printRule processor.
*/
bool NATCompiler_pix::optimizeDefaultNAT::processNext()
{
// NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
RuleElementOSrc *osrc=rule->getOSrc();
RuleElementOSrv *osrv=rule->getOSrv();
RuleElementODst *odst=rule->getODst();
RuleElementTSrc *tsrc=rule->getTSrc();
RuleElementTDst *tdst=rule->getTDst();
if (osrc->size()>1) return true;
if (osrc->isAny()) return true;
if (!osrv->isAny()) return true;
if (!odst->isAny()) return true;
/*
* can't use RuleElementOSrc::getFirst(bool dereference) because it
* returns Address::cast(o), but child element of rule element may be
* a group when this processor is called.
*/
FWObject *o=osrc->front();
string osrc_id;
if (FWReference::cast(o)!=NULL)
osrc_id = FWObjectDatabase::getStringId(FWReference::cast(o)->getPointerId());
else
osrc_id = FWObjectDatabase::getStringId(o->getId());
if ( ( !tsrc->isAny() && tdst->isAny()) ||
( !osrc->isAny() && odst->isAny() && tsrc->isAny() && tdst->isAny() )
)
{
// this rule type is SNAT or NONAT
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
Interface *iface=Interface::cast(*i);
if (iface->getStr("orig_netzone_id")==osrc_id )
{
rule->setBool("clear_osrc",true);
rule->setBool("use_nat_0_0",true);
osrc->clearChildren();
osrc->addRef(iface);
break;
}
}
}
return true;
}
bool NATCompiler_pix::clearOSrc::processNext()
{
// NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
@ -1321,335 +1140,6 @@ bool NATCompiler_pix::processMultiAddressObjectsInRE::processNext()
}
bool NATCompiler_pix::SuppressDuplicateNONATStatics::processNext()
{
Helper helper(compiler);
// NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
if (rule->getRuleType()== NATRule::NONAT &&
rule->getInt("nonat_type")==NONAT_STATIC)
{
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
nonat_static_parameters sp;
sp.iface1 = helper.findInterfaceByNetzone(osrc );
sp.iface2 = helper.findInterfaceByNetzone(odst );
sp.addr = *(odst->getAddressPtr());
sp.mask = *(odst->getNetmaskPtr());
for (deque<nonat_static_parameters>::iterator i=all_nonat_statics.begin();
i!=all_nonat_statics.end(); ++i )
{
if ( i->iface1==sp.iface1 &&
i->iface2==sp.iface2 &&
i->addr==sp.addr &&
i->mask==sp.mask ) return true;
}
all_nonat_statics.push_back(sp);
}
tmp_queue.push_back(rule);
return true;
}
NATCompiler_pix::DetectOverlap::~DetectOverlap() {};
bool NATCompiler_pix::DetectOverlap::checkOverlapping(
const libfwbuilder::Address &addr1,
const libfwbuilder::InetAddr &addr2)
{
if (AddressRange::isA(&addr1))
{
const InetAddr a1 = AddressRange::constcast(&addr1)->getRangeStart();
const InetAddr a2 = AddressRange::constcast(&addr1)->getRangeEnd();
return (addr2==a1 || addr2==a2 || (addr2>a1 && addr2<a2));
} else
{
return *(addr1.getAddressPtr()) == addr2 || addr1.belongs(addr2);
}
}
string NATCompiler_pix::DetectOverlap::printGlobalPoolAddress(const Address &pool)
{
if (AddressRange::isA(&pool))
{
const InetAddr a1=AddressRange::constcast(&pool)->getRangeStart();
const InetAddr a2=AddressRange::constcast(&pool)->getRangeEnd();
return a1.toString()+"-"+a2.toString();
} else
{
return pool.getAddressPtr()->toString() + "/" +
pool.getNetmaskPtr()->toString();
}
}
bool NATCompiler_pix::DetectGlobalPoolProblems::processNext()
{
NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if (rule->getRuleType()== NATRule::SNAT )
{
NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ];
if (natcmd->ignore_global) return true;
if (natcmd->type != INTERFACE)
{
if (checkOverlapping(*(natcmd->t_addr),
*(natcmd->t_iface->getAddressPtr())))
compiler->abort(
rule,
"Global pool "
+ printGlobalPoolAddress(*(natcmd->t_addr))
+ " overlaps with interface address.");
if (checkOverlapping(*(natcmd->t_addr),
*(natcmd->t_iface->getBroadcastAddressPtr()))
||
checkOverlapping(*(natcmd->t_addr),
*(natcmd->t_iface->getAddressPtr())) )
compiler->warning(
rule,
"Global pool "
+ printGlobalPoolAddress(*(natcmd->t_addr))
+ " overlaps with broadcast address.");
}
for (map<int,NATCmd*>::iterator i1=pix_comp->nat_commands.begin();
i1!=pix_comp->nat_commands.end(); ++i1)
{
NATCmd *nc=(*i1).second;
/* since map nat_commands is sorted by the key, we only have to scan it
* until we hit natcmd
*/
if (nc->ignore_global) continue;
if (natcmd==nc) break;
Interface *int1=natcmd->t_iface;
Interface *int2=nc->t_iface;
if ( int1->getId()==int2->getId() )
{
if ( ! fwcompiler::_find_obj_intersection(natcmd->t_addr,nc->t_addr).empty() )
{
compiler->abort(
rule,
string("Global pool overlap: ")
+ rule->getLabel() + " : "
+ printGlobalPoolAddress(*(natcmd->t_addr))
+ nc->rule_label + " : "
+ printGlobalPoolAddress(*(nc->t_addr)) );
}
}
}
}
return true;
}
bool NATCompiler_pix::DetectOverlappingGlobalPoolsAndStaticRules::processNext()
{
NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if (rule->getRuleType()== NATRule::DNAT )
{
Address *outa=compiler->getFirstODst(rule); assert(outa);
Address *insa=compiler->getFirstTDst(rule); assert(insa);
for (map<int,NATCmd*>::iterator i=pix_comp->nat_commands.begin();
i!=pix_comp->nat_commands.end(); ++i)
{
NATCmd *natcmd=(*i).second;
if (natcmd->ignore_global) return true;
/* in this case natcmd->t_addr is interface. Interface creates
* single-address global pool, but since it has netmask,
* method checkOverlapping would treat it as network. I create
* temporary substitution Address object to avoid this .
*
* If interface is used for a global pool (SNAT rule) and
* for a static (DNAT rule), then this is ok even though
* such global pool overlaps with such static (added 10/17/03)
*
* But first I need to check if this interface has dynamic
* address, in which case I can not really do this check
* at all.
*/
IPv4 addr;
Interface *iface=Interface::cast(natcmd->t_addr);
if (iface!=NULL && iface->isDyn()) return true;
if (iface!=NULL && iface->getId()==outa->getId()) return true;
addr.setAddress(*(natcmd->t_addr->getAddressPtr()));
addr.setNetmask(*(natcmd->t_addr->getNetmaskPtr()));
if (natcmd->type== INTERFACE)
{
addr.setNetmask(InetAddr(InetAddr::getAllOnes()));
}
if ( checkOverlapping( addr, *(outa->getAddressPtr())) ||
checkOverlapping( *outa, *(addr.getAddressPtr())) )
compiler->abort(
rule,
"Global pool "
+printGlobalPoolAddress(addr)
+" from rule "
+natcmd->rule_label
+" overlaps with static translation address in rule "
+rule->getLabel());
}
}
return true;
}
bool NATCompiler_pix::DetectDuplicateNAT::processNext()
{
NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if (rule->getRuleType()== NATRule::SNAT)
{
NATCmd *natcmd=pix_comp->nat_commands[ rule->getInt("nat_cmd") ];
if (natcmd->ignore_nat) return true;
for (map<int,NATCmd*>::iterator i1=pix_comp->nat_commands.begin();
i1!=pix_comp->nat_commands.end(); ++i1)
{
NATCmd *nc=(*i1).second;
/* since map nat_commands is sorted by the key, we only have to scan it
* until we hit natcmd
*/
if (nc->ignore_nat) continue;
if (natcmd==nc) break;
Interface *int1=natcmd->t_iface;
Interface *int2=nc->t_iface;
// InetAddr a1=natcmd->o_addr->getAddress();
// InetAddr a2=nc->o_addr->getAddress();
//
// InetAddr m1=natcmd->o_addr->getInetAddr();
// InetAddr m2=nc->o_addr->getNetmask();
if ( int1->getId()==int2->getId() &&
natcmd->o_src==nc->o_src &&
natcmd->o_dst==nc->o_dst &&
*(natcmd->o_srv)==*(nc->o_srv)
)
{
ostringstream str;
str << "Duplicate NAT detected: rules "
<< rule->getLabel()
<< " and "<< nc->rule_label
<< " : "<< natcmd->o_src->getAddressPtr()->toString()
<< "/"<< natcmd->o_src->getNetmaskPtr()->toString()
<< " "
<< natcmd->o_srv->getProtocolName()
<< " "
<< TCPUDPService::cast(natcmd->o_srv)->getSrcRangeStart()
<< ":"
<< TCPUDPService::cast(natcmd->o_srv)->getSrcRangeEnd()
<< " "
<< "->"<< natcmd->o_dst->getAddressPtr()->toString()
<< "/"<< natcmd->o_dst->getNetmaskPtr()->toString()
<< " "
<< TCPUDPService::cast(natcmd->o_srv)->getDstRangeStart()
<< "/"
<< TCPUDPService::cast(natcmd->o_srv)->getDstRangeEnd();
compiler->abort(rule, str.str());
}
}
}
return true;
}
bool NATCompiler_pix::DetectOverlappingStatics::processNext()
{
NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if (rule->getRuleType()== NATRule::DNAT )
{
StaticCmd *scmd=pix_comp->static_commands[ rule->getInt("sc_cmd") ];
for (map<int,StaticCmd*>::iterator i1=pix_comp->static_commands.begin();
i1!=pix_comp->static_commands.end(); i1++ )
{
// int scid=i1->first;
StaticCmd *sc= i1->second;
if (sc->ignore_scmd_and_print_acl) continue;
if (sc==scmd) break;
if (Interface::isA(scmd->oaddr) && Interface::isA(sc->oaddr))
{
if ( *(sc->osrv) == *(scmd->osrv) &&
*(sc->tsrv) == *(scmd->tsrv) &&
*(sc->osrc) == *(scmd->osrc) &&
sc->oaddr->getId() == scmd->oaddr->getId())
compiler->abort(
rule,
"Static NAT rules overlap or are redundant : rules "+
sc->rule+" and "+scmd->rule+" : "+
"outside address: "+
"interface "+Interface::cast(scmd->oaddr)->getLabel()+
" inside address: "+
scmd->iaddr->getAddressPtr()->toString()+"/"+
scmd->iaddr->getNetmaskPtr()->toString());
} else
{
if ( *(sc->osrv) == *(scmd->osrv) &&
*(sc->tsrv) == *(scmd->tsrv) &&
*(sc->osrc) == *(scmd->osrc))
{
const InetAddrMask *ia1 =
scmd->iaddr->getInetAddrMaskObjectPtr();
const InetAddrMask *ia2 =
sc->iaddr->getInetAddrMaskObjectPtr();
const InetAddrMask *oa1 =
scmd->oaddr->getInetAddrMaskObjectPtr();
const InetAddrMask *oa2 =
sc->oaddr->getInetAddrMaskObjectPtr();
if ( ! getOverlap(*(ia1), *(ia2)).empty() ||
! getOverlap(*(oa1), *(oa2)).empty() )
compiler->abort(
rule,
"Static NAT rules overlap or are redundant: rules "+
sc->rule+" and "+scmd->rule+" : "+
"outside address: "+
scmd->oaddr->getAddressPtr()->toString()+"/"+
scmd->oaddr->getNetmaskPtr()->toString()+
" inside address: "+
scmd->iaddr->getAddressPtr()->toString()+"/"+
scmd->iaddr->getNetmaskPtr()->toString());
}
}
}
}
return true;
}
void NATCompiler_pix::compile()
{
@ -1662,6 +1152,21 @@ void NATCompiler_pix::compile()
add( new singleRuleFilter());
add(new expandGroupsInItfInb("expand groups in inbound Interface"));
add(new replaceClusterInterfaceInItfInb(
"replace cluster interfaces with member interfaces in "
"the inbound Interface rule element"));
add(new ItfInbNegation("process negation in inbound Itf"));
add(new expandGroupsInItfOutb("expand groups in outbound Interface"));
add(new replaceClusterInterfaceInItfOutb(
"replace cluster interfaces with member interfaces in "
"the outbound Interface rule element"));
add(new ItfOutbNegation("process negation in outbound Itf"));
add( new ConvertToAtomicForItfInb("convert to atomic for inbound interface") );
add( new ConvertToAtomicForItfOutb("convert to atomic for outbound interface"));
if (fw->getOptionsObject()->getBool( "pix_optimize_default_nat"))
add (new optimizeDefaultNAT(
"optimize commands 'nat (interface) 0.0.0.0 0.0.0.0'"));

20
src/cisco_lib/NATCompiler_pix.h
View File

@ -36,7 +36,8 @@
#include <map>
#include <deque>
namespace fwcompiler {
namespace fwcompiler
{
typedef enum { UNKNOWN,
@ -60,9 +61,9 @@ namespace fwcompiler {
libfwbuilder::Address *o_src; // for "nat" command
libfwbuilder::Address *o_dst; // for "nat" command
libfwbuilder::Service *o_srv; // for acl in "nat" command for 6.3
libfwbuilder::Interface *o_iface; // for "nat" command
libfwbuilder::Address *t_addr; // for "global" command
libfwbuilder::Interface *t_iface; // for "global" command
libfwbuilder::Interface *i_iface; // inbound
libfwbuilder::Interface *o_iface; // ountbound
int nat_id;
std::string nat_acl_name;
global_pool_type type;
@ -70,15 +71,18 @@ namespace fwcompiler {
struct StaticCmd
{
bool ignore_scmd_and_print_acl;
std::string acl_name;
std::string rule;
bool ignore_scmd_and_print_acl;
std::string acl_name;
std::string rule;
libfwbuilder::Address *iaddr;
libfwbuilder::Address *oaddr;
libfwbuilder::Address *osrc;
libfwbuilder::Service *osrv;
libfwbuilder::Service *tsrv;
libfwbuilder::Interface *i_iface; // inbound
libfwbuilder::Interface *o_iface; // outbound
StaticCmd() { };
bool operator==(const StaticCmd &other);
};
class NATCompiler_pix : public NATCompiler
@ -95,8 +99,8 @@ namespace fwcompiler {
struct nonat
{
std::string acl_name;
libfwbuilder::Interface *i_iface;
libfwbuilder::Interface *o_iface;
//libfwbuilder::Interface *i_iface;
//libfwbuilder::Interface *o_iface;
libfwbuilder::Address *src;
libfwbuilder::Address *dst;
bool last;

116
src/cisco_lib/NATCompiler_pix_writers.cpp
View File

@ -186,19 +186,24 @@ void NATCompiler_pix::PrintRule::printNONAT(NATRule *rule)
Address *tdst=compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv);
RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL);
RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL);
Interface *i_iface = Interface::cast(
FWObjectReference::getObject(itf_in_re->front()));
Interface *o_iface = Interface::cast(
FWObjectReference::getObject(itf_out_re->front()));
switch (rule->getInt("nonat_type"))
{
case NONAT_NAT0:
{
nonat n0 = pix_comp->nonat_rules[rule->getId()];
Interface *iface1 = n0.i_iface;
// Interface *iface2=n0.o_iface;
if (rule->getBool("use_nat_0_0"))
{
/* old, < 6.3 */
compiler->output << "nat (" << iface1->getLabel() << ") 0 0 0";
compiler->output << "nat (" << i_iface->getLabel() << ") 0 0 0";
compiler->output << endl;
} else
{
@ -222,7 +227,7 @@ void NATCompiler_pix::PrintRule::printNONAT(NATRule *rule)
<< _printAddress(n0.dst,true)
<< endl;
if (pix_comp->first_nonat_rule_id[iface1->getId()]==rule->getId())
if (pix_comp->first_nonat_rule_id[i_iface->getId()]==rule->getId())
{
if (compiler->fw->getStr("platform")=="fwsm" &&
compiler->fw->getOptionsObject()->getBool(
@ -232,7 +237,7 @@ void NATCompiler_pix::PrintRule::printNONAT(NATRule *rule)
compiler->output << endl;
}
compiler->output << "nat ("
<< iface1->getLabel()
<< i_iface->getLabel()
<< ") 0 access-list "
<< n0.acl_name
<< endl;
@ -242,22 +247,14 @@ void NATCompiler_pix::PrintRule::printNONAT(NATRule *rule)
}
case NONAT_STATIC:
{
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
Interface *osrc_iface = Interface::cast(
compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(osrc)));
Interface *odst_iface = Interface::cast(
compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(odst)));
string addr=odst->getAddressPtr()->toString();
string addr = odst->getAddressPtr()->toString();
string mask;
if (Network::isA(odst)) mask=odst->getNetmaskPtr()->toString();
else mask="255.255.255.255";
compiler->output << "static ("
<< odst_iface->getLabel() << ","
<< osrc_iface->getLabel() << ") "
<< o_iface->getLabel() << ","
<< i_iface->getLabel() << ") "
<< addr << " " << addr
<< " netmask " << mask
<< endl;
@ -273,22 +270,29 @@ void NATCompiler_pix::PrintRule::printSNAT(NATRule *rule)
string platform = compiler->fw->getStr("platform");
string version = compiler->fw->getStr("version");
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_acl");
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_acl");
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
Service *osrv=compiler->getFirstOSrv(rule); assert(osrv);
Address *osrc = compiler->getFirstOSrc(rule); assert(osrc);
Address *odst = compiler->getFirstODst(rule); assert(odst);
Service *osrv = compiler->getFirstOSrv(rule); assert(osrv);
Address *tsrc=compiler->getFirstTSrc(rule); assert(tsrc);
Address *tdst=compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv);
Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc);
Address *tdst = compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv);
RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL);
RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL);
Interface *i_iface = Interface::cast(
FWObjectReference::getObject(itf_in_re->front()));
Interface *o_iface = Interface::cast(
FWObjectReference::getObject(itf_out_re->front()));
if ( ! natcmd->ignore_global)
{
compiler->output <<
"global (" << natcmd->t_iface->getLabel() << ") "
<< natcmd->nat_id;
"global (" << o_iface->getLabel() << ") " << natcmd->nat_id;
switch (natcmd->type)
{
@ -315,7 +319,7 @@ void NATCompiler_pix::PrintRule::printSNAT(NATRule *rule)
<< "-"
<< ar->getRangeEnd().toString()
<< " netmask "
<< natcmd->t_iface->getNetmaskPtr()->toString()
<< o_iface->getNetmaskPtr()->toString()
<< endl;
}
break;
@ -333,7 +337,7 @@ void NATCompiler_pix::PrintRule::printSNAT(NATRule *rule)
{
/* old, < 6.3 */
compiler->output
<< "nat (" << natcmd->o_iface->getLabel() << ") "
<< "nat (" << i_iface->getLabel() << ") "
<< natcmd->nat_id
<< " "
<< natcmd->o_src->getAddressPtr()->toString() << " "
@ -377,7 +381,7 @@ void NATCompiler_pix::PrintRule::printSNAT(NATRule *rule)
compiler->output << "access-list commit" << endl;
compiler->output << endl;
}
compiler->output << "nat (" << natcmd->o_iface->getLabel() << ") "
compiler->output << "nat (" << i_iface->getLabel() << ") "
<< natcmd->nat_id
<< " access-list "
<< natcmd->nat_acl_name;
@ -400,21 +404,24 @@ void NATCompiler_pix::PrintRule::printDNAT(NATRule *rule)
string platform = compiler->fw->getStr("platform");
string version = compiler->fw->getStr("version");
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_acl");
string("/FWBuilderResources/Target/options/") +
"version_" + version+"/pix_commands/clear_acl");
Address *osrc=compiler->getFirstOSrc(rule); assert(osrc);
Address *odst=compiler->getFirstODst(rule); assert(odst);
Service *osrv=compiler->getFirstOSrv(rule); assert(osrv);
Address *osrc = compiler->getFirstOSrc(rule); assert(osrc);
Address *odst = compiler->getFirstODst(rule); assert(odst);
Service *osrv = compiler->getFirstOSrv(rule); assert(osrv);
Address *tsrc=compiler->getFirstTSrc(rule); assert(tsrc);
Address *tdst=compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv);
Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc);
Address *tdst = compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv);
Interface *iface_orig = Interface::cast(
compiler->dbcopy->findInIndex(rule->getInt("nat_iface_orig")));
Interface *iface_trn = Interface::cast(
compiler->dbcopy->findInIndex(rule->getInt("nat_iface_trn")));
RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL);
RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL);
Interface *i_iface = Interface::cast(
FWObjectReference::getObject(itf_in_re->front()));
Interface *o_iface = Interface::cast(
FWObjectReference::getObject(itf_out_re->front()));
StaticCmd *scmd = pix_comp->static_commands[ rule->getInt("sc_cmd") ];
@ -431,9 +438,9 @@ void NATCompiler_pix::PrintRule::printDNAT(NATRule *rule)
/* old, < 6.3 */
compiler->output << "static ("
<< iface_trn->getLabel()
<< o_iface->getLabel()
<< ","
<< iface_orig->getLabel()
<< i_iface->getLabel()
<< ") " ;
bool use_ports=false;
@ -459,6 +466,7 @@ void NATCompiler_pix::PrintRule::printDNAT(NATRule *rule)
compiler->output << " netmask " << outm->toString();
}
compiler->output << " " << _printConnOptions(rule) << endl;
} else
{
/* new, >=6.3 */
@ -494,20 +502,28 @@ void NATCompiler_pix::PrintRule::printDNAT(NATRule *rule)
if (!scmd->ignore_scmd_and_print_acl)
{
if (compiler->fw->getStr("platform")=="fwsm" &&
compiler->fw->getOptionsObject()->getBool("pix_use_manual_commit") )
compiler->fw->getOptionsObject()->getBool("pix_use_manual_commit"))
{
compiler->output << "access-list commit" << endl;
compiler->output << endl;
}
compiler->output << "static ("
<< iface_trn->getLabel()
<< o_iface->getLabel()
<< ","
<< iface_orig->getLabel()
<< i_iface->getLabel()
<< ") " ;
bool use_ports=false;
if (TCPService::cast(scmd->osrv)) { use_ports=true; compiler->output << "tcp "; }
if (UDPService::cast(scmd->osrv)) { use_ports=true; compiler->output << "udp "; }
if (TCPService::cast(scmd->osrv))
{
use_ports=true;
compiler->output << "tcp ";
}
if (UDPService::cast(scmd->osrv))
{
use_ports=true;
compiler->output << "udp ";
}
if (Interface::cast(scmd->oaddr)!=NULL)
compiler->output << "interface ";
@ -530,8 +546,8 @@ bool NATCompiler_pix::PrintRule::processNext()
string platform = compiler->fw->getStr("platform");
string version = compiler->fw->getStr("version");
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_acl");
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_acl");
NATRule *rule = getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);

6
src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
View File

@ -106,9 +106,9 @@ bool CreateObjectGroups::processNext()
string version = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInterfaceId()));
assert(rule_iface);
// Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
// rule->getInterfaceId()));
//assert(rule_iface);
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));

1
src/cisco_lib/cisco_lib.pro
View File

@ -34,6 +34,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
NATCompiler_pix_writers.cpp \
NATCompiler_asa8.cpp \
NATCompiler_asa8_writers.cpp \
NATCompiler_pix_optimizers.cpp \
OSConfigurator_pix_os.cpp \
OSConfigurator_pix_os_fixups.cpp \
OSConfigurator_pix_os_inspectors.cpp \

4
src/res/platform/fwsm.xml
View File

@ -233,8 +233,8 @@ nameif %in %il security%sl
<options_in_policy>True</options_in_policy>
<supports_nat>True</supports_nat>
<actions_in_nat>False</actions_in_nat>
<inbound_interface_in_nat>False</inbound_interface_in_nat>
<outbound_interface_in_nat>False</outbound_interface_in_nat>
<inbound_interface_in_nat>True</inbound_interface_in_nat>
<outbound_interface_in_nat>True</outbound_interface_in_nat>
<supports_time>False</supports_time>
<supports_accounting>False</supports_accounting>
<security_levels>True</security_levels>

4
src/res/platform/pix.xml
View File

@ -646,8 +646,8 @@
<options_in_policy>True</options_in_policy>
<supports_nat>True</supports_nat>
<actions_in_nat>False</actions_in_nat>
<inbound_interface_in_nat>False</inbound_interface_in_nat>
<outbound_interface_in_nat>False</outbound_interface_in_nat>
<inbound_interface_in_nat>True</inbound_interface_in_nat>
<outbound_interface_in_nat>True</outbound_interface_in_nat>
<supports_time>False</supports_time>
<supports_accounting>False</supports_accounting>
<security_levels>True</security_levels>

4
test/pix/cluster1-1_pix1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:22 2011 PST by vadim
! Generated Sat Feb 19 18:59:49 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/cluster1-1_pix2.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:22 2011 PST by vadim
! Generated Sat Feb 19 18:59:49 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/cluster1_pix1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:22 2011 PST by vadim
! Generated Sat Feb 19 18:59:49 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/cluster1_pix2.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:22 2011 PST by vadim
! Generated Sat Feb 19 18:59:49 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/firewall.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:05 2011 PST by vadim
! Generated Sat Feb 19 18:59:23 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

9
test/pix/firewall1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:04 2011 PST by vadim
! Generated Sat Feb 19 18:59:23 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported
@ -20,6 +20,9 @@
! C firewall1:Policy:9: error: Dynamic interface can be used in the policy rule only in v6.3 or later.
! C firewall1:Policy:9: error: Dynamic interface can be used in the policy rule only in v6.3 or later.
! N firewall1:NAT:4: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command.
! N firewall1:NAT:5: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command.
!
! Prolog script:
!
@ -137,12 +140,14 @@ nat (inside) 2 192.168.1.0 255.255.255.0 0 0
global (dmz) 2 interface
!
nat (dmz) 2 192.168.2.0 255.255.255.0 0 0
! firewall1:NAT:4: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command.
!
!
! Rule 5 (NAT)
!
!
!
! firewall1:NAT:5: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command.
!

4
test/pix/firewall10.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:05 2011 PST by vadim
! Generated Sat Feb 19 18:59:25 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall11.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:05 2011 PST by vadim
! Generated Sat Feb 19 18:59:25 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall12.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:06 2011 PST by vadim
! Generated Sat Feb 19 18:59:26 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall13.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:07 2011 PST by vadim
! Generated Sat Feb 19 18:59:26 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall14.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:07 2011 PST by vadim
! Generated Sat Feb 19 18:59:27 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall2.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:08 2011 PST by vadim
! Generated Sat Feb 19 18:59:27 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall20.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:08 2011 PST by vadim
! Generated Sat Feb 19 18:59:29 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall21-1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:09 2011 PST by vadim
! Generated Sat Feb 19 18:59:30 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall21.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:09 2011 PST by vadim
! Generated Sat Feb 19 18:59:29 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/firewall22.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:10 2011 PST by vadim
! Generated Sat Feb 19 18:59:31 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/firewall3.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:10 2011 PST by vadim
! Generated Sat Feb 19 18:59:32 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

26
test/pix/firewall33.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:11 2011 PST by vadim
! Generated Sat Feb 19 18:59:34 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -21,6 +21,12 @@
! C firewall33:Policy:7: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode
! C firewall33:Policy:8: error: Run-time AddressTable and DNSName objects are not supported.
! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
! N firewall33:NAT:2: error: Run-time AddressTable and DNSName objects are not supported.
!
@ -80,11 +86,11 @@ object-group network id43867C2418346.src.net.0
exit
object-group network id438728A918346.dst.net.0
network-object host 74.125.224.16
network-object host 74.125.224.17
network-object host 74.125.224.18
network-object host 74.125.224.19
network-object host 74.125.224.20
network-object host 74.125.224.80
network-object host 74.125.224.81
network-object host 74.125.224.82
network-object host 74.125.224.83
network-object host 74.125.224.84
network-object host 157.166.224.25
network-object host 157.166.224.26
network-object host 157.166.226.25
@ -134,12 +140,18 @@ access-list id43867C4918346.0 permit ip host 192.168.1.10 any
static (inside,outside) interface access-list id43867C4918346.0 0 0
!
! Rule 1 (NAT)
! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
global (outside) 1 interface
access-list id43876E2618346.0 permit ip any host 157.166.224.25
! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
access-list id43876E2618346.0 permit ip any host 157.166.224.26
! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
access-list id43876E2618346.0 permit ip any host 157.166.226.25
! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
access-list id43876E2618346.0 permit ip any host 157.166.226.26
! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
access-list id43876E2618346.0 permit ip any host 157.166.255.18
! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command.
access-list id43876E2618346.0 permit ip any host 157.166.255.19
nat (outside) 1 access-list id43876E2618346.0 0 0

61
test/pix/firewall34.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:12 2011 PST by vadim
! Generated Sat Feb 19 18:59:34 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -74,61 +74,6 @@ object-group network id16988X10208.dst.net.0
exit
object-group network id4390C25825682.dst.net.0
network-object 58.33.181.83 255.255.255.255
network-object 58.53.82.190 255.255.255.255
network-object 58.231.13.78 255.255.255.255
network-object host 61.150.47.112
network-object 61.184.14.102 255.255.255.255
network-object 64.106.85.186 255.255.255.255
network-object 70.228.60.100 255.255.255.255
network-object 80.51.236.6 255.255.255.255
network-object 80.243.72.149 255.255.255.255
network-object 80.249.77.34 255.255.255.255
network-object 81.2.36.254 255.255.255.255
network-object 81.196.74.125 255.255.255.255
network-object 82.77.37.174 255.255.255.255
network-object 82.117.221.205 255.255.255.255
network-object 82.143.196.17 255.255.255.255
network-object 84.90.8.198 255.255.255.255
network-object 151.8.224.178 255.255.255.255
network-object 168.156.76.20 255.255.255.255
network-object 193.207.126.36 255.255.255.255
network-object 195.136.186.35 255.255.255.255
network-object 196.15.136.15 255.255.255.255
network-object 201.10.180.138 255.255.255.255
network-object 201.17.93.16 255.255.255.255
network-object 201.36.156.121 255.255.255.255
network-object 202.96.112.93 255.255.255.255
network-object 202.103.25.253 255.255.255.255
network-object 203.162.3.209 255.255.255.255
network-object 203.209.124.144 255.255.255.255
network-object 210.106.193.237 255.255.255.255
network-object 210.222.114.102 255.255.255.255
network-object 211.144.143.143 255.255.255.255
network-object 211.172.218.237 255.255.255.255
network-object 211.250.16.132 255.255.255.255
network-object 212.21.241.31 255.255.255.255
network-object 212.100.212.100 255.255.255.255
network-object 218.18.72.252 255.255.255.255
network-object 218.39.114.122 255.255.255.255
network-object 218.55.115.43 255.255.255.255
network-object 218.104.138.146 255.255.255.255
network-object 219.132.104.160 255.255.255.255
network-object 220.71.17.86 255.255.255.255
network-object 220.81.50.105 255.255.255.255
network-object 220.91.99.46 255.255.255.255
network-object 221.14.249.242 255.255.255.255
network-object 221.166.177.135 255.255.255.255
network-object 221.198.33.38 255.255.255.255
network-object 221.202.160.233 255.255.255.255
network-object 221.205.54.125 255.255.255.255
network-object 221.217.44.248 255.255.255.255
network-object 222.100.212.223 255.255.255.255
network-object 222.121.118.144 255.255.255.255
network-object 222.174.113.2 255.255.255.255
exit
object-group network id4388CFF8674.src.net.0
network-object 58.33.181.83 255.255.255.255
network-object 58.53.82.190 255.255.255.255
network-object 58.231.13.78 255.255.255.255
@ -214,7 +159,7 @@ access-list outside_acl_in deny tcp any object-group id4390C25825682.dst.net.0
access-list inside_acl_in deny tcp any object-group id4390C25825682.dst.net.0 eq 25
!
! Rule 5 (global)
access-list outside_acl_in deny ip object-group id4388CFF8674.src.net.0 any log 6 interval 300
access-list outside_acl_in deny ip object-group id4390C25825682.dst.net.0 any log 6 interval 300
!
! Rule 6 (global)
access-list outside_acl_in deny ip object-group id4390C25825682.dst.net.0 any log 6 interval 300

4
test/pix/firewall4.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:12 2011 PST by vadim
! Generated Sat Feb 19 18:59:35 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall50.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:13 2011 PST by vadim
! Generated Sat Feb 19 18:59:35 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/firewall6.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:13 2011 PST by vadim
! Generated Sat Feb 19 18:59:37 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall8.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:14 2011 PST by vadim
! Generated Sat Feb 19 18:59:37 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall80.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:14 2011 PST by vadim
! Generated Sat Feb 19 18:59:38 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported

4
test/pix/firewall81.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:15 2011 PST by vadim
! Generated Sat Feb 19 16:27:54 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall82.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:15 2011 PST by vadim
! Generated Sat Feb 19 16:27:55 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall83.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:16 2011 PST by vadim
! Generated Sat Feb 19 16:27:55 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall9.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:16 2011 PST by vadim
! Generated Sat Feb 19 18:59:41 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall90.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:17 2011 PST by vadim
! Generated Sat Feb 19 16:27:56 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall91.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:17 2011 PST by vadim
! Generated Sat Feb 19 16:27:57 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall92.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:18 2011 PST by vadim
! Generated Sat Feb 19 16:27:57 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall93.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:18 2011 PST by vadim
! Generated Sat Feb 19 16:27:58 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall94.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:18 2011 PST by vadim
! Generated Sat Feb 19 18:59:45 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/fwsm1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:19 2011 PST by vadim
! Generated Sat Feb 19 18:59:46 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

4
test/pix/fwsm2.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:20 2011 PST by vadim
! Generated Sat Feb 19 18:59:46 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported

5371
test/pix/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

4
test/pix/pix515.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:20 2011 PST by vadim
! Generated Sat Feb 19 18:59:48 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/real.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3470
! Firewall Builder fwb_pix v4.2.0.3482
!
! Generated Thu Feb 10 15:07:21 2011 PST by vadim
! Generated Sat Feb 19 18:59:48 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported