diff --git a/doc/ChangeLog b/doc/ChangeLog index 0c3c8513e..70dbd4dac 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,15 @@ 2011-02-19 vadim + * NATCompiler_pix.cpp (processNext): see #2098 Added support for + user-configurable inbound and outbound interfaces in Cisco PIX/ASA + NAT rules. Two new columns appear in the rule set view: "Inbound + Interface" and "Outbound Interface". If user leaves one or both + columns blank, the GUI shows "Auto" in there and policy compiler + picks corresponding interface automatically. Leaving both columns + blank ("Auto") triggers backwards-compatible automatic behavior + where both interfaces are picked automatically. Multiple interface + objects and groups of interfaces are allowed in these columns. + * ClusterInterfaceWidget.cpp (getInterfaceData): fixes #2117 "CARP interfaces in cluster that use VLAN interaces have no interface set to MASTER". When PF cluster configuration was built using vlan diff --git a/src/cisco_lib/NATCompiler_asa8.cpp b/src/cisco_lib/NATCompiler_asa8.cpp index f3adac1ea..49daa241d 100644 --- a/src/cisco_lib/NATCompiler_asa8.cpp +++ b/src/cisco_lib/NATCompiler_asa8.cpp @@ -269,21 +269,6 @@ bool NATCompiler_asa8::VerifyRules::processNext() bool NATCompiler_asa8::verifyInterfacesInNatRule::processNext() { NATRule *rule = getNext(); if (rule==NULL) return false; - - Interface *o_iface = Interface::cast(compiler->dbcopy->findInIndex( - rule->getInt("nat_iface_orig"))); - Interface *t_iface = Interface::cast(compiler->dbcopy->findInIndex( - rule->getInt("nat_iface_trn"))); - - if (o_iface->getId() == t_iface->getId()) - { - QString err("Objects used in Original Source and Translated Source " - "of the rule dictate that the same interface '%1' is going " - "to be used as real and mapped interface in the generated " - "nat command."); - compiler->warning(rule, err.arg(o_iface->getLabel().c_str()).toStdString()); - } - tmp_queue.push_back(rule); return true; } diff --git a/src/cisco_lib/NATCompiler_asa8_writers.cpp b/src/cisco_lib/NATCompiler_asa8_writers.cpp index 05370f783..98c710832 100644 --- a/src/cisco_lib/NATCompiler_asa8_writers.cpp +++ b/src/cisco_lib/NATCompiler_asa8_writers.cpp @@ -116,14 +116,17 @@ void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule) Address *tdst = compiler->getFirstTDst(rule); assert(tdst); Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); - Interface *o_iface = Interface::cast(compiler->dbcopy->findInIndex( - rule->getInt("nat_iface_orig"))); - Interface *t_iface = Interface::cast(compiler->dbcopy->findInIndex( - rule->getInt("nat_iface_trn"))); + RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); + RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); + + Interface *i_iface = Interface::cast( + FWObjectReference::getObject(itf_in_re->front())); + Interface *o_iface = Interface::cast( + FWObjectReference::getObject(itf_out_re->front())); cmd << QString("nat (%1,%2)") - .arg(o_iface->getLabel().c_str()) - .arg(t_iface->getLabel().c_str()); + .arg(i_iface->getLabel().c_str()) + .arg(o_iface->getLabel().c_str()); cmd << "source"; diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp index a80410144..099ac9d7e 100644 --- a/src/cisco_lib/NATCompiler_pix.cpp +++ b/src/cisco_lib/NATCompiler_pix.cpp @@ -96,6 +96,16 @@ NATCompiler_pix::~NATCompiler_pix() } +bool StaticCmd::operator==(const StaticCmd &other) +{ + return (*oaddr == *(other.oaddr) && + *iaddr == *(other.iaddr) && + *osrv == *(other.osrv) && + *tsrv == *(other.tsrv) && + i_iface->getId() == other.i_iface->getId() && + o_iface->getId() == other.o_iface->getId()); +} + /* * Do not expand interfaces in ODst and TSrc * @@ -230,10 +240,8 @@ string NATCompiler_pix::debugPrintRule(Rule *r) { NATRule *rule=NATRule::cast(r); - FWObject *iface1 = dbcopy->findInIndex( rule->getInt("nat_iface_orig") ); - FWObject *iface2 = dbcopy->findInIndex( rule->getInt("nat_iface_trn") ); - string iface1_name=(iface1!=NULL)?iface1->getName():""; - string iface2_name=(iface2!=NULL)?iface2->getName():""; + RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); + RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); ostringstream os; @@ -258,9 +266,7 @@ string NATCompiler_pix::debugPrintRule(Rule *r) os << " o_src=" << _print_addr(natcmd->o_src->getAddressPtr()); os << " o_dst=" << _print_addr(natcmd->o_dst->getAddressPtr()); os << " o_srv=" << natcmd->o_srv->getName(); - os << " o_iface=" << natcmd->o_iface->getLabel(); os << " t_addr=" << _print_addr(natcmd->t_addr->getAddressPtr()); - os << " t_iface=" << natcmd->t_iface->getLabel(); os << " ignore_global=" << string((natcmd->ignore_global)?"1":"0"); os << " ignore_nat=" << string((natcmd->ignore_nat)?"1":"0"); os << " ignore_nat_and_print_acl=" @@ -281,6 +287,7 @@ string NATCompiler_pix::debugPrintRule(Rule *r) string oaddr_str = _print_addr(scmd->oaddr->getAddressPtr()); os << " StaticCmd:"; + os << " ignore=" << scmd->ignore_scmd_and_print_acl; os << " acl=" << scmd->acl_name; os << " (" << nat_acl_names[scmd->acl_name] << ")"; os << " iaddr=" << iaddr_str; @@ -294,9 +301,9 @@ string NATCompiler_pix::debugPrintRule(Rule *r) default: ; // TODO: should actually be always_assert } - return NATCompiler::debugPrintRule(rule)+ - " "+iface1_name+" "+iface2_name+ - " (type="+rule->getRuleTypeAsString()+") "+ + return NATCompiler::debugPrintRule(rule) + + " " + + " (type=" + rule->getRuleTypeAsString() + ") " + "use_nat_0_0=" + string((rule->getBool("use_nat_0_0"))?"1":"0") + " " + os.str(); } @@ -465,6 +472,8 @@ bool NATCompiler_pix::AssignInterface::processNext() Helper helper(compiler); NATRule *rule = getNext(); if (rule==NULL) return false; + RuleElement *itf_re; + Address *a1 = NULL; Address *a2 = NULL; @@ -490,28 +499,42 @@ bool NATCompiler_pix::AssignInterface::processNext() int org_intf_id = helper.findInterfaceByNetzone(a1); int trn_intf_id = helper.findInterfaceByNetzone(a2); - rule->setInt("nat_iface_orig", org_intf_id); - rule->setInt("nat_iface_trn", trn_intf_id); - rule->setInterfaceId(trn_intf_id); - if ( rule->getInt("nat_iface_orig")==-1 ) + FWObject *iface_org = compiler->dbcopy->findInIndex(org_intf_id); + FWObject *iface_trn = compiler->dbcopy->findInIndex(trn_intf_id); + + if ( org_intf_id==-1 ) { - compiler->abort( - rule, - "Object '" + a1->getName() + - "' does not belong to any known network zone."); + QString err("Object '%1' does not belong to any known network zone."); + compiler->abort(rule, err.arg(a1->getName().c_str()).toStdString()); return true; } - if ( rule->getInt("nat_iface_trn")==-1 ) + if ( trn_intf_id==-1 ) { - compiler->abort( - rule, - "Object '" + a2->getName() + - "' does not belong to any known network zone."); + QString err("Object '%1' does not belong to any known network zone."); + compiler->abort(rule, err.arg(a2->getName().c_str()).toStdString()); return true; } + itf_re = rule->getItfInb(); assert(itf_re!=NULL); + if (itf_re->isAny() && ! itf_re->hasRef(iface_org)) itf_re->addRef(iface_org); + + itf_re = rule->getItfOutb(); assert(itf_re!=NULL); + if (itf_re->isAny() && ! itf_re->hasRef(iface_trn)) itf_re->addRef(iface_trn); + + if (org_intf_id == trn_intf_id) + { + QString err("Objects used in Original Source and Translated Source " + "of the rule dictate that the same interface '%1' is going " + "to be used as real and mapped interface in the generated " + "nat command."); + compiler->warning( + rule, + err.arg( + Interface::cast(iface_org)->getLabel().c_str()).toStdString()); + } + tmp_queue.push_back(rule); return true; } @@ -793,8 +816,10 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext() } } else { - Address *odst=compiler->getFirstODst(rule); assert(odst!=NULL); - FWObject *odst_iface=compiler->dbcopy->findInIndex( helper.findInterfaceByNetzone(odst ) ); + Address *odst = compiler->getFirstODst(rule); assert(odst!=NULL); + FWObject *odst_iface = + compiler->dbcopy->findInIndex( + helper.findInterfaceByNetzone(odst ) ); if (odst_iface!=NULL) cl.push_back(odst_iface); } if ( ! cl.empty() ) { @@ -872,11 +897,12 @@ bool NATCompiler_pix::UseFirewallInterfaces::processNext() bool NATCompiler_pix::processNONATRules::processNext() { Helper helper(compiler); - NATCompiler_pix *pix_comp=dynamic_cast(compiler); + NATCompiler_pix *pix_comp = dynamic_cast(compiler); NATRule *rule=getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); - if (rule->getRuleType()==NATRule::NONAT) { + if (rule->getRuleType()==NATRule::NONAT) + { Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); Address *odst=compiler->getFirstODst(rule); assert(odst); @@ -897,8 +923,17 @@ bool NATCompiler_pix::processNONATRules::processNext() { rule->setInt("nonat_type", NONAT_NAT0); nonat n0; - n0.i_iface = osrc_iface; - n0.o_iface = odst_iface; + // n0.i_iface = osrc_iface; + // n0.o_iface = odst_iface; + + RuleElement *itf_re = rule->getItfInb(); + assert(itf_re!=NULL); + if ( ! itf_re->hasRef(osrc_iface)) itf_re->addRef(osrc_iface); + + itf_re = rule->getItfOutb(); + assert(itf_re!=NULL); + if ( ! itf_re->hasRef(odst_iface)) itf_re->addRef(odst_iface); + n0.src = osrc; n0.dst = odst; n0.acl_name = "nat0."+osrc_iface->getLabel(); @@ -913,7 +948,20 @@ bool NATCompiler_pix::processNONATRules::processNext() } else { - rule->setInt("nonat_type",NONAT_STATIC); + rule->setInt("nonat_type", NONAT_STATIC); + Interface *osrc_iface = Interface::cast( + compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(osrc))); + Interface *odst_iface = Interface::cast( + compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(odst))); + + RuleElement *itf_re = rule->getItfInb(); + assert(itf_re!=NULL); + if ( ! itf_re->hasRef(osrc_iface)) itf_re->addRef(osrc_iface); + + itf_re = rule->getItfOutb(); + assert(itf_re!=NULL); + if ( ! itf_re->hasRef(odst_iface)) itf_re->addRef(odst_iface); + } } @@ -927,12 +975,6 @@ bool NATCompiler_pix::createNATCmd::processNext() NATRule *rule = getNext(); if (rule==NULL) return false; string version = compiler->fw->getStr("version"); - bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member"); - Cluster *cluster = NULL; - if (cluster_member) - cluster = Cluster::cast( - compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id"))); - if (rule->getRuleType()==NATRule::SNAT) { Address *osrc = compiler->getFirstOSrc(rule); assert(osrc); @@ -940,6 +982,14 @@ bool NATCompiler_pix::createNATCmd::processNext() Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc); + RuleElementItfInb *itf_in_re = rule->getItfInb(); + RuleElementItfOutb *itf_out_re = rule->getItfOutb(); + + Interface *i_iface = Interface::cast( + FWObjectReference::getObject(itf_in_re->front())); + Interface *o_iface = Interface::cast( + FWObjectReference::getObject(itf_out_re->front())); + NATCmd *natcmd = new NATCmd(); natcmd->nat_id = nat_id_counter; @@ -948,16 +998,14 @@ bool NATCompiler_pix::createNATCmd::processNext() natcmd->o_src = osrc; natcmd->o_dst = odst; natcmd->o_srv = osrv; - natcmd->o_iface = Interface::cast(compiler->dbcopy->findInIndex( - rule->getInt("nat_iface_orig"))); natcmd->t_addr = tsrc; - natcmd->t_iface = Interface::cast(compiler->dbcopy->findInIndex( - rule->getInt("nat_iface_trn"))); + natcmd->i_iface = i_iface; // inbound interface + natcmd->o_iface = o_iface; // outbound interface natcmd->nat_acl_name = pix_comp->getNATACLname(rule,""); pix_comp->registerACL(natcmd->nat_acl_name); - if (Interface::cast(tsrc)!=NULL || natcmd->t_iface->isDyn()) + if (Interface::cast(tsrc)!=NULL || o_iface->isDyn()) { natcmd->type = INTERFACE; } else @@ -978,8 +1026,9 @@ bool NATCompiler_pix::createNATCmd::processNext() /* * "nat ... outside" is only supported in PIX 6.2 */ + natcmd->outside = - ( natcmd->o_iface->getSecurityLevel() < natcmd->t_iface->getSecurityLevel()); + ( i_iface->getSecurityLevel() < o_iface->getSecurityLevel()); if (natcmd->outside && compiler->fw->getStr("platform")=="pix" && libfwbuilder::XMLTools::version_compare(version, "6.2")<0 ) @@ -1011,13 +1060,21 @@ bool NATCompiler_pix::createStaticCmd::processNext() if (rule->getRuleType()==NATRule::DNAT) { - Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); - Address *odst=compiler->getFirstODst(rule); assert(odst); - Service *osrv=compiler->getFirstOSrv(rule); assert(osrv); - Address *tdst=compiler->getFirstTDst(rule); assert(tdst); - Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); + Address *osrc = compiler->getFirstOSrc(rule); assert(osrc); + Address *odst = compiler->getFirstODst(rule); assert(odst); + Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); + Address *tdst = compiler->getFirstTDst(rule); assert(tdst); + Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); - StaticCmd *scmd=new StaticCmd(); + RuleElementItfInb *itf_in_re = rule->getItfInb(); + RuleElementItfOutb *itf_out_re = rule->getItfOutb(); + + Interface *i_iface = Interface::cast( + FWObjectReference::getObject(itf_in_re->front())); + Interface *o_iface = Interface::cast( + FWObjectReference::getObject(itf_out_re->front())); + + StaticCmd *scmd = new StaticCmd(); scmd->acl_name = pix_comp->getNATACLname(rule,""); pix_comp->registerACL(scmd->acl_name); @@ -1030,6 +1087,8 @@ bool NATCompiler_pix::createStaticCmd::processNext() scmd->osrv= osrv; scmd->tsrv= tsrv; scmd->ignore_scmd_and_print_acl=false; + scmd->i_iface = i_iface; + scmd->o_iface = o_iface; pix_comp->static_commands[sc_id_counter]=scmd; rule->setInt("sc_cmd",sc_id_counter); @@ -1041,246 +1100,6 @@ bool NATCompiler_pix::createStaticCmd::processNext() } - -/* - * this processor uses slurp to make sure all previous processors ran before - * it starts scanning rules. - */ -bool NATCompiler_pix::mergeNATCmd::processNext() -{ - NATCompiler_pix *pix_comp=dynamic_cast(compiler); - - slurp(); - if (tmp_queue.size()==0) return false; - - for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) - { - NATRule *rule = NATRule::cast( *k ); - - if (rule->getRuleType() == NATRule::DNAT) - { - StaticCmd *scmd = pix_comp->static_commands[rule->getInt("sc_cmd")]; - - map::iterator i1; - for (i1=pix_comp->static_commands.begin(); - i1!=pix_comp->static_commands.end(); ++i1) - { - StaticCmd *sc = (*i1).second; - if (scmd==sc) break; - - if (*(scmd->oaddr) == *(sc->oaddr) && - *(scmd->iaddr) == *(sc->iaddr) && - *(scmd->osrv) == *(sc->osrv) && - *(scmd->tsrv) == *(sc->tsrv)) - { -/* rule 'sc' is above rule 'scmd', we need to print 'static' command - * only in the last rule using the same access list. That's why we set - * flag ignore_scmd_and_print acl in sc and not in scmd - */ - - scmd->acl_name = sc->acl_name; - sc->ignore_scmd_and_print_acl=true; - } - } - } - - if (rule->getRuleType()==NATRule::SNAT) - { - NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ]; - - map::iterator i1; - for (i1 = pix_comp->nat_commands.begin(); - i1 != pix_comp->nat_commands.end(); ++i1) - { - NATCmd *nc = (*i1).second; -/* since map nat_commands is sorted by the key, we only have to scan it - * until we hit natcmd - */ - - if (natcmd==nc) break; - - const InetAddr *a1 = natcmd->t_addr->getAddressPtr(); - const InetAddr *a2 = nc->t_addr->getAddressPtr(); - - Interface *int1 = natcmd->t_iface; - Interface *int2 = nc->t_iface; - - if ((natcmd->t_addr == nc->t_addr || - (a1 && a2 && *a1 == *a2)) && - int1->getId() == int2->getId() ) - { - natcmd->ignore_global = true; - natcmd->nat_id = nc->nat_id; - } - } - - for (map::iterator i1=pix_comp->nat_commands.begin(); - i1!=pix_comp->nat_commands.end(); ++i1) - { - NATCmd *nc = (*i1).second; -/* since map nat_commands is sorted by the key, we only have to scan it - * until we hit natcmd - */ - if (natcmd == nc) break; - if (nc->ignore_nat) continue; - -/* using operator==(const Address &o1,const Address &o2) here */ - - if ( *(natcmd->o_src) == *(nc->o_src) && - *(natcmd->o_dst) == *(nc->o_dst) && - *(natcmd->o_srv) == *(nc->o_srv) && - natcmd->o_iface->getId() == nc->o_iface->getId() ) - { -/* - * there is another nat rule (rule #2) with the same "original" - * addresses and the same interface. We can drop this nat rule, but need - * to merge its global pool with pool of the rule #2. - * - * This nat rule could have been sharing a global pool with some other - * nat rule; in this case we need to find this other rule and also - * reassign it to the global pool of the rule #2. - */ - natcmd->ignore_nat = true; - map::iterator i2; - for (i2 = pix_comp->nat_commands.begin(); - i2 != pix_comp->nat_commands.end(); ++i2) - { - NATCmd *nc2 = i2->second; - if (natcmd->nat_id == nc2->nat_id) - nc2->nat_id = nc->nat_id; - } - natcmd->nat_id = nc->nat_id; - } - } - - if (!natcmd->use_nat_0_0) - { - map::iterator i1; - for (i1 = pix_comp->nat_commands.begin(); - i1 != pix_comp->nat_commands.end(); ++i1) - { - NATCmd *nc=(*i1).second; -/* since map nat_commands is sorted by the key, we only have to scan it - * until we hit natcmd - */ - if (natcmd==nc) break; - -/* ignore nat natcmd entries for rules where we won't print 'nat' - * command or use 'nat 0' command since this means we won't print - * access-list for those rules and hense can not merge lists - */ - if (nc->ignore_nat) continue; - if (nc->use_nat_0_0) continue; - - if ( natcmd->nat_id == nc->nat_id && - natcmd->t_addr == nc->t_addr && - natcmd->o_iface->getId() == nc->o_iface->getId() ) - { -/* two nat commands with the same id, the same interface and the same - * translated address, but different osrc and odst. OSrc and ODst must - * be different, otherwise these two commands would have been merged - * in the previous cycle. We can merge access lists and drop one of - * these nat commands. We merge ACLs by assigning them the same name. - */ - natcmd->nat_acl_name = nc->nat_acl_name; - nc->ignore_nat_and_print_acl = true; - } - } - } - } - - } - return true; -} - -/* - * The goal of this processor is to find SNAT rules that could be - * translated as "nat (interface) 0.0.0.0 0.0.0.0. These rules should - * have the same network object in OSrc that is used to define - * interface's network zone. The logic is simple: if network "A" is a - * network zone for internal interface, then only packets from this - * network can hit it and therefore there is no need to check source - * address once more in the "nat" rule. - * - * We also check for ODst and OSrv, because if the destination or the - * service are defined, then this optimization can not be done. - * - * This optimization can be turned off using checkbutton in the - * "Firewall" tab. - * - * call this processor really early, when groups have not been - * expanded yet. At this point both NAT rule type and interfaces it - * is associated with are unknown yet. We have to partially repeat - * algorithms used in other rule processors to determine NAT rule type - * and interface. - * - * We do this optimization in two steps: - * - * 1. in this rule processor we replace object in OSrc with firewall's - * interface. This way we can still use other rule processors that - * determine rule type and assign it to interfaces, but rule won't be - * split onto multiple rules because of objects in OSrc. We also set - * boolean flags "clear_osrc" and "use_nat_0_0" on the rule. - * - * 2. further down in rule processor clearOSrc we check the flag and - * clear OSrc if it is set. - * - * 3. flag "use_nat_0_0" is used in printRule processor. - */ -bool NATCompiler_pix::optimizeDefaultNAT::processNext() -{ -// NATCompiler_pix *pix_comp=dynamic_cast(compiler); - NATRule *rule=getNext(); if (rule==NULL) return false; - tmp_queue.push_back(rule); - - RuleElementOSrc *osrc=rule->getOSrc(); - RuleElementOSrv *osrv=rule->getOSrv(); - RuleElementODst *odst=rule->getODst(); - RuleElementTSrc *tsrc=rule->getTSrc(); - RuleElementTDst *tdst=rule->getTDst(); - - if (osrc->size()>1) return true; - if (osrc->isAny()) return true; - if (!osrv->isAny()) return true; - if (!odst->isAny()) return true; - -/* - * can't use RuleElementOSrc::getFirst(bool dereference) because it - * returns Address::cast(o), but child element of rule element may be - * a group when this processor is called. - */ - FWObject *o=osrc->front(); - string osrc_id; - if (FWReference::cast(o)!=NULL) - osrc_id = FWObjectDatabase::getStringId(FWReference::cast(o)->getPointerId()); - else - osrc_id = FWObjectDatabase::getStringId(o->getId()); - - if ( ( !tsrc->isAny() && tdst->isAny()) || - ( !osrc->isAny() && odst->isAny() && tsrc->isAny() && tdst->isAny() ) - ) - { -// this rule type is SNAT or NONAT - - list l2=compiler->fw->getByType(Interface::TYPENAME); - for (list::iterator i=l2.begin(); i!=l2.end(); ++i) - { - Interface *iface=Interface::cast(*i); - - if (iface->getStr("orig_netzone_id")==osrc_id ) - { - rule->setBool("clear_osrc",true); - rule->setBool("use_nat_0_0",true); - osrc->clearChildren(); - osrc->addRef(iface); - break; - } - } - } - - return true; -} - bool NATCompiler_pix::clearOSrc::processNext() { // NATCompiler_pix *pix_comp=dynamic_cast(compiler); @@ -1321,335 +1140,6 @@ bool NATCompiler_pix::processMultiAddressObjectsInRE::processNext() } -bool NATCompiler_pix::SuppressDuplicateNONATStatics::processNext() -{ - Helper helper(compiler); -// NATCompiler_pix *pix_comp=dynamic_cast(compiler); - NATRule *rule=getNext(); if (rule==NULL) return false; - - if (rule->getRuleType()== NATRule::NONAT && - rule->getInt("nonat_type")==NONAT_STATIC) - { - Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); - Address *odst=compiler->getFirstODst(rule); assert(odst); - - nonat_static_parameters sp; - sp.iface1 = helper.findInterfaceByNetzone(osrc ); - sp.iface2 = helper.findInterfaceByNetzone(odst ); - sp.addr = *(odst->getAddressPtr()); - sp.mask = *(odst->getNetmaskPtr()); - - for (deque::iterator i=all_nonat_statics.begin(); - i!=all_nonat_statics.end(); ++i ) - { - if ( i->iface1==sp.iface1 && - i->iface2==sp.iface2 && - i->addr==sp.addr && - i->mask==sp.mask ) return true; - } - all_nonat_statics.push_back(sp); - } - - tmp_queue.push_back(rule); - return true; -} - -NATCompiler_pix::DetectOverlap::~DetectOverlap() {}; - -bool NATCompiler_pix::DetectOverlap::checkOverlapping( - const libfwbuilder::Address &addr1, - const libfwbuilder::InetAddr &addr2) -{ - if (AddressRange::isA(&addr1)) - { - const InetAddr a1 = AddressRange::constcast(&addr1)->getRangeStart(); - const InetAddr a2 = AddressRange::constcast(&addr1)->getRangeEnd(); - return (addr2==a1 || addr2==a2 || (addr2>a1 && addr2getRangeStart(); - const InetAddr a2=AddressRange::constcast(&pool)->getRangeEnd(); - return a1.toString()+"-"+a2.toString(); - } else - { - return pool.getAddressPtr()->toString() + "/" + - pool.getNetmaskPtr()->toString(); - } -} - -bool NATCompiler_pix::DetectGlobalPoolProblems::processNext() -{ - NATCompiler_pix *pix_comp=dynamic_cast(compiler); - NATRule *rule=getNext(); if (rule==NULL) return false; - tmp_queue.push_back(rule); - - if (rule->getRuleType()== NATRule::SNAT ) - { - NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ]; - - if (natcmd->ignore_global) return true; - - if (natcmd->type != INTERFACE) - { - if (checkOverlapping(*(natcmd->t_addr), - *(natcmd->t_iface->getAddressPtr()))) - compiler->abort( - rule, - "Global pool " - + printGlobalPoolAddress(*(natcmd->t_addr)) - + " overlaps with interface address."); - - if (checkOverlapping(*(natcmd->t_addr), - *(natcmd->t_iface->getBroadcastAddressPtr())) - || - checkOverlapping(*(natcmd->t_addr), - *(natcmd->t_iface->getAddressPtr())) ) - compiler->warning( - rule, - "Global pool " - + printGlobalPoolAddress(*(natcmd->t_addr)) - + " overlaps with broadcast address."); - } - - for (map::iterator i1=pix_comp->nat_commands.begin(); - i1!=pix_comp->nat_commands.end(); ++i1) - { - NATCmd *nc=(*i1).second; -/* since map nat_commands is sorted by the key, we only have to scan it - * until we hit natcmd - */ - if (nc->ignore_global) continue; - if (natcmd==nc) break; - - Interface *int1=natcmd->t_iface; - Interface *int2=nc->t_iface; - - if ( int1->getId()==int2->getId() ) - { - if ( ! fwcompiler::_find_obj_intersection(natcmd->t_addr,nc->t_addr).empty() ) - { - compiler->abort( - rule, - string("Global pool overlap: ") - + rule->getLabel() + " : " - + printGlobalPoolAddress(*(natcmd->t_addr)) - + nc->rule_label + " : " - + printGlobalPoolAddress(*(nc->t_addr)) ); - } - } - - } - - } - return true; -} - - -bool NATCompiler_pix::DetectOverlappingGlobalPoolsAndStaticRules::processNext() -{ - NATCompiler_pix *pix_comp=dynamic_cast(compiler); - NATRule *rule=getNext(); if (rule==NULL) return false; - tmp_queue.push_back(rule); - - if (rule->getRuleType()== NATRule::DNAT ) - { - Address *outa=compiler->getFirstODst(rule); assert(outa); - Address *insa=compiler->getFirstTDst(rule); assert(insa); - - for (map::iterator i=pix_comp->nat_commands.begin(); - i!=pix_comp->nat_commands.end(); ++i) - { - NATCmd *natcmd=(*i).second; - - if (natcmd->ignore_global) return true; - - /* in this case natcmd->t_addr is interface. Interface creates - * single-address global pool, but since it has netmask, - * method checkOverlapping would treat it as network. I create - * temporary substitution Address object to avoid this . - * - * If interface is used for a global pool (SNAT rule) and - * for a static (DNAT rule), then this is ok even though - * such global pool overlaps with such static (added 10/17/03) - * - * But first I need to check if this interface has dynamic - * address, in which case I can not really do this check - * at all. - */ - IPv4 addr; - - Interface *iface=Interface::cast(natcmd->t_addr); - if (iface!=NULL && iface->isDyn()) return true; - - if (iface!=NULL && iface->getId()==outa->getId()) return true; - - addr.setAddress(*(natcmd->t_addr->getAddressPtr())); - addr.setNetmask(*(natcmd->t_addr->getNetmaskPtr())); - - if (natcmd->type== INTERFACE) - { - addr.setNetmask(InetAddr(InetAddr::getAllOnes())); - } - - if ( checkOverlapping( addr, *(outa->getAddressPtr())) || - checkOverlapping( *outa, *(addr.getAddressPtr())) ) - compiler->abort( - - rule, - "Global pool " - +printGlobalPoolAddress(addr) - +" from rule " - +natcmd->rule_label - +" overlaps with static translation address in rule " - +rule->getLabel()); - } - } - return true; -} - -bool NATCompiler_pix::DetectDuplicateNAT::processNext() -{ - NATCompiler_pix *pix_comp=dynamic_cast(compiler); - NATRule *rule=getNext(); if (rule==NULL) return false; - tmp_queue.push_back(rule); - - if (rule->getRuleType()== NATRule::SNAT) - { - NATCmd *natcmd=pix_comp->nat_commands[ rule->getInt("nat_cmd") ]; - - if (natcmd->ignore_nat) return true; - - for (map::iterator i1=pix_comp->nat_commands.begin(); - i1!=pix_comp->nat_commands.end(); ++i1) - { - NATCmd *nc=(*i1).second; -/* since map nat_commands is sorted by the key, we only have to scan it - * until we hit natcmd - */ - if (nc->ignore_nat) continue; - if (natcmd==nc) break; - - Interface *int1=natcmd->t_iface; - Interface *int2=nc->t_iface; - -// InetAddr a1=natcmd->o_addr->getAddress(); -// InetAddr a2=nc->o_addr->getAddress(); -// -// InetAddr m1=natcmd->o_addr->getInetAddr(); -// InetAddr m2=nc->o_addr->getNetmask(); - - if ( int1->getId()==int2->getId() && - natcmd->o_src==nc->o_src && - natcmd->o_dst==nc->o_dst && - *(natcmd->o_srv)==*(nc->o_srv) - ) - { - ostringstream str; - str << "Duplicate NAT detected: rules " - << rule->getLabel() - << " and "<< nc->rule_label - << " : "<< natcmd->o_src->getAddressPtr()->toString() - << "/"<< natcmd->o_src->getNetmaskPtr()->toString() - << " " - << natcmd->o_srv->getProtocolName() - << " " - << TCPUDPService::cast(natcmd->o_srv)->getSrcRangeStart() - << ":" - << TCPUDPService::cast(natcmd->o_srv)->getSrcRangeEnd() - << " " - << "->"<< natcmd->o_dst->getAddressPtr()->toString() - << "/"<< natcmd->o_dst->getNetmaskPtr()->toString() - << " " - << TCPUDPService::cast(natcmd->o_srv)->getDstRangeStart() - << "/" - << TCPUDPService::cast(natcmd->o_srv)->getDstRangeEnd(); - - compiler->abort(rule, str.str()); - } - } -} -return true; -} - -bool NATCompiler_pix::DetectOverlappingStatics::processNext() -{ - NATCompiler_pix *pix_comp=dynamic_cast(compiler); - NATRule *rule=getNext(); if (rule==NULL) return false; - tmp_queue.push_back(rule); - - if (rule->getRuleType()== NATRule::DNAT ) - { - StaticCmd *scmd=pix_comp->static_commands[ rule->getInt("sc_cmd") ]; - - for (map::iterator i1=pix_comp->static_commands.begin(); - i1!=pix_comp->static_commands.end(); i1++ ) - { -// int scid=i1->first; - StaticCmd *sc= i1->second; - if (sc->ignore_scmd_and_print_acl) continue; - if (sc==scmd) break; - - if (Interface::isA(scmd->oaddr) && Interface::isA(sc->oaddr)) - { - if ( *(sc->osrv) == *(scmd->osrv) && - *(sc->tsrv) == *(scmd->tsrv) && - *(sc->osrc) == *(scmd->osrc) && - sc->oaddr->getId() == scmd->oaddr->getId()) - compiler->abort( - - rule, - "Static NAT rules overlap or are redundant : rules "+ - sc->rule+" and "+scmd->rule+" : "+ - "outside address: "+ - "interface "+Interface::cast(scmd->oaddr)->getLabel()+ - " inside address: "+ - scmd->iaddr->getAddressPtr()->toString()+"/"+ - scmd->iaddr->getNetmaskPtr()->toString()); - } else - { - if ( *(sc->osrv) == *(scmd->osrv) && - *(sc->tsrv) == *(scmd->tsrv) && - *(sc->osrc) == *(scmd->osrc)) - { - const InetAddrMask *ia1 = - scmd->iaddr->getInetAddrMaskObjectPtr(); - const InetAddrMask *ia2 = - sc->iaddr->getInetAddrMaskObjectPtr(); - - const InetAddrMask *oa1 = - scmd->oaddr->getInetAddrMaskObjectPtr(); - const InetAddrMask *oa2 = - sc->oaddr->getInetAddrMaskObjectPtr(); - - if ( ! getOverlap(*(ia1), *(ia2)).empty() || - ! getOverlap(*(oa1), *(oa2)).empty() ) - compiler->abort( - - rule, - "Static NAT rules overlap or are redundant: rules "+ - sc->rule+" and "+scmd->rule+" : "+ - "outside address: "+ - scmd->oaddr->getAddressPtr()->toString()+"/"+ - scmd->oaddr->getNetmaskPtr()->toString()+ - " inside address: "+ - scmd->iaddr->getAddressPtr()->toString()+"/"+ - scmd->iaddr->getNetmaskPtr()->toString()); - } - } - } - } - - return true; -} - void NATCompiler_pix::compile() { @@ -1662,6 +1152,21 @@ void NATCompiler_pix::compile() add( new singleRuleFilter()); + add(new expandGroupsInItfInb("expand groups in inbound Interface")); + add(new replaceClusterInterfaceInItfInb( + "replace cluster interfaces with member interfaces in " + "the inbound Interface rule element")); + add(new ItfInbNegation("process negation in inbound Itf")); + + add(new expandGroupsInItfOutb("expand groups in outbound Interface")); + add(new replaceClusterInterfaceInItfOutb( + "replace cluster interfaces with member interfaces in " + "the outbound Interface rule element")); + add(new ItfOutbNegation("process negation in outbound Itf")); + + add( new ConvertToAtomicForItfInb("convert to atomic for inbound interface") ); + add( new ConvertToAtomicForItfOutb("convert to atomic for outbound interface")); + if (fw->getOptionsObject()->getBool( "pix_optimize_default_nat")) add (new optimizeDefaultNAT( "optimize commands 'nat (interface) 0.0.0.0 0.0.0.0'")); diff --git a/src/cisco_lib/NATCompiler_pix.h b/src/cisco_lib/NATCompiler_pix.h index 6bbb73ff5..9e188c19c 100644 --- a/src/cisco_lib/NATCompiler_pix.h +++ b/src/cisco_lib/NATCompiler_pix.h @@ -36,7 +36,8 @@ #include #include -namespace fwcompiler { +namespace fwcompiler +{ typedef enum { UNKNOWN, @@ -60,9 +61,9 @@ namespace fwcompiler { libfwbuilder::Address *o_src; // for "nat" command libfwbuilder::Address *o_dst; // for "nat" command libfwbuilder::Service *o_srv; // for acl in "nat" command for 6.3 - libfwbuilder::Interface *o_iface; // for "nat" command libfwbuilder::Address *t_addr; // for "global" command - libfwbuilder::Interface *t_iface; // for "global" command + libfwbuilder::Interface *i_iface; // inbound + libfwbuilder::Interface *o_iface; // ountbound int nat_id; std::string nat_acl_name; global_pool_type type; @@ -70,15 +71,18 @@ namespace fwcompiler { struct StaticCmd { - bool ignore_scmd_and_print_acl; - std::string acl_name; - std::string rule; + bool ignore_scmd_and_print_acl; + std::string acl_name; + std::string rule; libfwbuilder::Address *iaddr; libfwbuilder::Address *oaddr; libfwbuilder::Address *osrc; libfwbuilder::Service *osrv; libfwbuilder::Service *tsrv; + libfwbuilder::Interface *i_iface; // inbound + libfwbuilder::Interface *o_iface; // outbound StaticCmd() { }; + bool operator==(const StaticCmd &other); }; class NATCompiler_pix : public NATCompiler @@ -95,8 +99,8 @@ namespace fwcompiler { struct nonat { std::string acl_name; - libfwbuilder::Interface *i_iface; - libfwbuilder::Interface *o_iface; + //libfwbuilder::Interface *i_iface; + //libfwbuilder::Interface *o_iface; libfwbuilder::Address *src; libfwbuilder::Address *dst; bool last; diff --git a/src/cisco_lib/NATCompiler_pix_writers.cpp b/src/cisco_lib/NATCompiler_pix_writers.cpp index 142c8bbde..0559769f4 100644 --- a/src/cisco_lib/NATCompiler_pix_writers.cpp +++ b/src/cisco_lib/NATCompiler_pix_writers.cpp @@ -186,19 +186,24 @@ void NATCompiler_pix::PrintRule::printNONAT(NATRule *rule) Address *tdst=compiler->getFirstTDst(rule); assert(tdst); Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); + RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); + RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); + + Interface *i_iface = Interface::cast( + FWObjectReference::getObject(itf_in_re->front())); + Interface *o_iface = Interface::cast( + FWObjectReference::getObject(itf_out_re->front())); switch (rule->getInt("nonat_type")) { case NONAT_NAT0: { nonat n0 = pix_comp->nonat_rules[rule->getId()]; - Interface *iface1 = n0.i_iface; -// Interface *iface2=n0.o_iface; if (rule->getBool("use_nat_0_0")) { /* old, < 6.3 */ - compiler->output << "nat (" << iface1->getLabel() << ") 0 0 0"; + compiler->output << "nat (" << i_iface->getLabel() << ") 0 0 0"; compiler->output << endl; } else { @@ -222,7 +227,7 @@ void NATCompiler_pix::PrintRule::printNONAT(NATRule *rule) << _printAddress(n0.dst,true) << endl; - if (pix_comp->first_nonat_rule_id[iface1->getId()]==rule->getId()) + if (pix_comp->first_nonat_rule_id[i_iface->getId()]==rule->getId()) { if (compiler->fw->getStr("platform")=="fwsm" && compiler->fw->getOptionsObject()->getBool( @@ -232,7 +237,7 @@ void NATCompiler_pix::PrintRule::printNONAT(NATRule *rule) compiler->output << endl; } compiler->output << "nat (" - << iface1->getLabel() + << i_iface->getLabel() << ") 0 access-list " << n0.acl_name << endl; @@ -242,22 +247,14 @@ void NATCompiler_pix::PrintRule::printNONAT(NATRule *rule) } case NONAT_STATIC: { - Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); - Address *odst=compiler->getFirstODst(rule); assert(odst); - - Interface *osrc_iface = Interface::cast( - compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(osrc))); - Interface *odst_iface = Interface::cast( - compiler->dbcopy->findInIndex(helper.findInterfaceByNetzone(odst))); - - string addr=odst->getAddressPtr()->toString(); + string addr = odst->getAddressPtr()->toString(); string mask; if (Network::isA(odst)) mask=odst->getNetmaskPtr()->toString(); else mask="255.255.255.255"; compiler->output << "static (" - << odst_iface->getLabel() << "," - << osrc_iface->getLabel() << ") " + << o_iface->getLabel() << "," + << i_iface->getLabel() << ") " << addr << " " << addr << " netmask " << mask << endl; @@ -273,22 +270,29 @@ void NATCompiler_pix::PrintRule::printSNAT(NATRule *rule) string platform = compiler->fw->getStr("platform"); string version = compiler->fw->getStr("version"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( - string("/FWBuilderResources/Target/options/")+ - "version_"+version+"/pix_commands/clear_acl"); + string("/FWBuilderResources/Target/options/") + + "version_" + version + "/pix_commands/clear_acl"); - Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); - Address *odst=compiler->getFirstODst(rule); assert(odst); - Service *osrv=compiler->getFirstOSrv(rule); assert(osrv); + Address *osrc = compiler->getFirstOSrc(rule); assert(osrc); + Address *odst = compiler->getFirstODst(rule); assert(odst); + Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); - Address *tsrc=compiler->getFirstTSrc(rule); assert(tsrc); - Address *tdst=compiler->getFirstTDst(rule); assert(tdst); - Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); + Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc); + Address *tdst = compiler->getFirstTDst(rule); assert(tdst); + Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); + + RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); + RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); + + Interface *i_iface = Interface::cast( + FWObjectReference::getObject(itf_in_re->front())); + Interface *o_iface = Interface::cast( + FWObjectReference::getObject(itf_out_re->front())); if ( ! natcmd->ignore_global) { compiler->output << - "global (" << natcmd->t_iface->getLabel() << ") " - << natcmd->nat_id; + "global (" << o_iface->getLabel() << ") " << natcmd->nat_id; switch (natcmd->type) { @@ -315,7 +319,7 @@ void NATCompiler_pix::PrintRule::printSNAT(NATRule *rule) << "-" << ar->getRangeEnd().toString() << " netmask " - << natcmd->t_iface->getNetmaskPtr()->toString() + << o_iface->getNetmaskPtr()->toString() << endl; } break; @@ -333,7 +337,7 @@ void NATCompiler_pix::PrintRule::printSNAT(NATRule *rule) { /* old, < 6.3 */ compiler->output - << "nat (" << natcmd->o_iface->getLabel() << ") " + << "nat (" << i_iface->getLabel() << ") " << natcmd->nat_id << " " << natcmd->o_src->getAddressPtr()->toString() << " " @@ -377,7 +381,7 @@ void NATCompiler_pix::PrintRule::printSNAT(NATRule *rule) compiler->output << "access-list commit" << endl; compiler->output << endl; } - compiler->output << "nat (" << natcmd->o_iface->getLabel() << ") " + compiler->output << "nat (" << i_iface->getLabel() << ") " << natcmd->nat_id << " access-list " << natcmd->nat_acl_name; @@ -400,21 +404,24 @@ void NATCompiler_pix::PrintRule::printDNAT(NATRule *rule) string platform = compiler->fw->getStr("platform"); string version = compiler->fw->getStr("version"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( - string("/FWBuilderResources/Target/options/")+ - "version_"+version+"/pix_commands/clear_acl"); + string("/FWBuilderResources/Target/options/") + + "version_" + version+"/pix_commands/clear_acl"); - Address *osrc=compiler->getFirstOSrc(rule); assert(osrc); - Address *odst=compiler->getFirstODst(rule); assert(odst); - Service *osrv=compiler->getFirstOSrv(rule); assert(osrv); + Address *osrc = compiler->getFirstOSrc(rule); assert(osrc); + Address *odst = compiler->getFirstODst(rule); assert(odst); + Service *osrv = compiler->getFirstOSrv(rule); assert(osrv); - Address *tsrc=compiler->getFirstTSrc(rule); assert(tsrc); - Address *tdst=compiler->getFirstTDst(rule); assert(tdst); - Service *tsrv=compiler->getFirstTSrv(rule); assert(tsrv); + Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc); + Address *tdst = compiler->getFirstTDst(rule); assert(tdst); + Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); - Interface *iface_orig = Interface::cast( - compiler->dbcopy->findInIndex(rule->getInt("nat_iface_orig"))); - Interface *iface_trn = Interface::cast( - compiler->dbcopy->findInIndex(rule->getInt("nat_iface_trn"))); + RuleElementItfInb *itf_in_re = rule->getItfInb(); assert(itf_in_re!=NULL); + RuleElementItfOutb *itf_out_re = rule->getItfOutb(); assert(itf_out_re!=NULL); + + Interface *i_iface = Interface::cast( + FWObjectReference::getObject(itf_in_re->front())); + Interface *o_iface = Interface::cast( + FWObjectReference::getObject(itf_out_re->front())); StaticCmd *scmd = pix_comp->static_commands[ rule->getInt("sc_cmd") ]; @@ -431,9 +438,9 @@ void NATCompiler_pix::PrintRule::printDNAT(NATRule *rule) /* old, < 6.3 */ compiler->output << "static (" - << iface_trn->getLabel() + << o_iface->getLabel() << "," - << iface_orig->getLabel() + << i_iface->getLabel() << ") " ; bool use_ports=false; @@ -459,6 +466,7 @@ void NATCompiler_pix::PrintRule::printDNAT(NATRule *rule) compiler->output << " netmask " << outm->toString(); } compiler->output << " " << _printConnOptions(rule) << endl; + } else { /* new, >=6.3 */ @@ -494,20 +502,28 @@ void NATCompiler_pix::PrintRule::printDNAT(NATRule *rule) if (!scmd->ignore_scmd_and_print_acl) { if (compiler->fw->getStr("platform")=="fwsm" && - compiler->fw->getOptionsObject()->getBool("pix_use_manual_commit") ) + compiler->fw->getOptionsObject()->getBool("pix_use_manual_commit")) { compiler->output << "access-list commit" << endl; compiler->output << endl; } compiler->output << "static (" - << iface_trn->getLabel() + << o_iface->getLabel() << "," - << iface_orig->getLabel() + << i_iface->getLabel() << ") " ; bool use_ports=false; - if (TCPService::cast(scmd->osrv)) { use_ports=true; compiler->output << "tcp "; } - if (UDPService::cast(scmd->osrv)) { use_ports=true; compiler->output << "udp "; } + if (TCPService::cast(scmd->osrv)) + { + use_ports=true; + compiler->output << "tcp "; + } + if (UDPService::cast(scmd->osrv)) + { + use_ports=true; + compiler->output << "udp "; + } if (Interface::cast(scmd->oaddr)!=NULL) compiler->output << "interface "; @@ -530,8 +546,8 @@ bool NATCompiler_pix::PrintRule::processNext() string platform = compiler->fw->getStr("platform"); string version = compiler->fw->getStr("version"); string clearACLcmd = Resources::platform_res[platform]->getResourceStr( - string("/FWBuilderResources/Target/options/")+ - "version_"+version+"/pix_commands/clear_acl"); + string("/FWBuilderResources/Target/options/") + + "version_" + version + "/pix_commands/clear_acl"); NATRule *rule = getNext(); if (rule==NULL) return false; tmp_queue.push_back(rule); diff --git a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp index 67faf4383..5a8edb521 100644 --- a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp +++ b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp @@ -106,9 +106,9 @@ bool CreateObjectGroups::processNext() string version = compiler->fw->getStr("version"); string platform = compiler->fw->getStr("platform"); - Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex( - rule->getInterfaceId())); - assert(rule_iface); + // Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex( + // rule->getInterfaceId())); + //assert(rule_iface); RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); diff --git a/src/cisco_lib/cisco_lib.pro b/src/cisco_lib/cisco_lib.pro index 16b36fded..a57011255 100644 --- a/src/cisco_lib/cisco_lib.pro +++ b/src/cisco_lib/cisco_lib.pro @@ -34,6 +34,7 @@ SOURCES = PolicyCompiler_cisco.cpp \ NATCompiler_pix_writers.cpp \ NATCompiler_asa8.cpp \ NATCompiler_asa8_writers.cpp \ + NATCompiler_pix_optimizers.cpp \ OSConfigurator_pix_os.cpp \ OSConfigurator_pix_os_fixups.cpp \ OSConfigurator_pix_os_inspectors.cpp \ diff --git a/src/res/platform/fwsm.xml b/src/res/platform/fwsm.xml index 47e8eda0f..2107c667b 100644 --- a/src/res/platform/fwsm.xml +++ b/src/res/platform/fwsm.xml @@ -233,8 +233,8 @@ nameif %in %il security%sl True True False - False - False + True + True False False True diff --git a/src/res/platform/pix.xml b/src/res/platform/pix.xml index 1e4a74818..ee0a22037 100644 --- a/src/res/platform/pix.xml +++ b/src/res/platform/pix.xml @@ -646,8 +646,8 @@ True True False - False - False + True + True False False True diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 9ab507bdf..35c94dbdf 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:22 2011 PST by vadim +! Generated Sat Feb 19 18:59:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index 90b50e8b4..34ec90e63 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:22 2011 PST by vadim +! Generated Sat Feb 19 18:59:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index 05d2022f8..8e898f50a 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:22 2011 PST by vadim +! Generated Sat Feb 19 18:59:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index ef54c0999..1c983b381 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:22 2011 PST by vadim +! Generated Sat Feb 19 18:59:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index 166d96bac..8a65cad9d 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:05 2011 PST by vadim +! Generated Sat Feb 19 18:59:23 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 8b3451fbd..c5391de4f 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:04 2011 PST by vadim +! Generated Sat Feb 19 18:59:23 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported @@ -20,6 +20,9 @@ ! C firewall1:Policy:9: error: Dynamic interface can be used in the policy rule only in v6.3 or later. ! C firewall1:Policy:9: error: Dynamic interface can be used in the policy rule only in v6.3 or later. +! N firewall1:NAT:4: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. +! N firewall1:NAT:5: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. + ! ! Prolog script: ! @@ -137,12 +140,14 @@ nat (inside) 2 192.168.1.0 255.255.255.0 0 0 global (dmz) 2 interface ! nat (dmz) 2 192.168.2.0 255.255.255.0 0 0 +! firewall1:NAT:4: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. ! ! ! Rule 5 (NAT) ! ! ! +! firewall1:NAT:5: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. ! diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index b13ad40be..3b1066a93 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:05 2011 PST by vadim +! Generated Sat Feb 19 18:59:25 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index 29e0c77fb..162ebc7e9 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:05 2011 PST by vadim +! Generated Sat Feb 19 18:59:25 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index a77af7200..06356a781 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:06 2011 PST by vadim +! Generated Sat Feb 19 18:59:26 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 6a1ed25a8..056450f17 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:07 2011 PST by vadim +! Generated Sat Feb 19 18:59:26 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 71a1bcea4..3b28dd10e 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:07 2011 PST by vadim +! Generated Sat Feb 19 18:59:27 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index f86eab896..ff5cbb5bc 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:08 2011 PST by vadim +! Generated Sat Feb 19 18:59:27 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index dae09a31c..c3fc8e2d2 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:08 2011 PST by vadim +! Generated Sat Feb 19 18:59:29 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index bdf6035ae..0bf1d32f9 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:09 2011 PST by vadim +! Generated Sat Feb 19 18:59:30 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 5cf322781..e1a16015b 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:09 2011 PST by vadim +! Generated Sat Feb 19 18:59:29 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index 4d8d027fd..8c2042284 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:10 2011 PST by vadim +! Generated Sat Feb 19 18:59:31 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index cb14e9ddf..d3562ba6e 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:10 2011 PST by vadim +! Generated Sat Feb 19 18:59:32 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index f613764a4..9726c07d6 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:11 2011 PST by vadim +! Generated Sat Feb 19 18:59:34 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -21,6 +21,12 @@ ! C firewall33:Policy:7: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode ! C firewall33:Policy:8: error: Run-time AddressTable and DNSName objects are not supported. +! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. +! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. +! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. +! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. +! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. +! N firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. ! N firewall33:NAT:2: error: Run-time AddressTable and DNSName objects are not supported. ! @@ -80,11 +86,11 @@ object-group network id43867C2418346.src.net.0 exit object-group network id438728A918346.dst.net.0 - network-object host 74.125.224.16 - network-object host 74.125.224.17 - network-object host 74.125.224.18 - network-object host 74.125.224.19 - network-object host 74.125.224.20 + network-object host 74.125.224.80 + network-object host 74.125.224.81 + network-object host 74.125.224.82 + network-object host 74.125.224.83 + network-object host 74.125.224.84 network-object host 157.166.224.25 network-object host 157.166.224.26 network-object host 157.166.226.25 @@ -134,12 +140,18 @@ access-list id43867C4918346.0 permit ip host 192.168.1.10 any static (inside,outside) interface access-list id43867C4918346.0 0 0 ! ! Rule 1 (NAT) +! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. global (outside) 1 interface access-list id43876E2618346.0 permit ip any host 157.166.224.25 +! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.224.26 +! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.226.25 +! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.226.26 +! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.255.18 +! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.255.19 nat (outside) 1 access-list id43876E2618346.0 0 0 diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index 8f0fddd21..67b1e34bd 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:12 2011 PST by vadim +! Generated Sat Feb 19 18:59:34 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -74,61 +74,6 @@ object-group network id16988X10208.dst.net.0 exit object-group network id4390C25825682.dst.net.0 - network-object 58.33.181.83 255.255.255.255 - network-object 58.53.82.190 255.255.255.255 - network-object 58.231.13.78 255.255.255.255 - network-object host 61.150.47.112 - network-object 61.184.14.102 255.255.255.255 - network-object 64.106.85.186 255.255.255.255 - network-object 70.228.60.100 255.255.255.255 - network-object 80.51.236.6 255.255.255.255 - network-object 80.243.72.149 255.255.255.255 - network-object 80.249.77.34 255.255.255.255 - network-object 81.2.36.254 255.255.255.255 - network-object 81.196.74.125 255.255.255.255 - network-object 82.77.37.174 255.255.255.255 - network-object 82.117.221.205 255.255.255.255 - network-object 82.143.196.17 255.255.255.255 - network-object 84.90.8.198 255.255.255.255 - network-object 151.8.224.178 255.255.255.255 - network-object 168.156.76.20 255.255.255.255 - network-object 193.207.126.36 255.255.255.255 - network-object 195.136.186.35 255.255.255.255 - network-object 196.15.136.15 255.255.255.255 - network-object 201.10.180.138 255.255.255.255 - network-object 201.17.93.16 255.255.255.255 - network-object 201.36.156.121 255.255.255.255 - network-object 202.96.112.93 255.255.255.255 - network-object 202.103.25.253 255.255.255.255 - network-object 203.162.3.209 255.255.255.255 - network-object 203.209.124.144 255.255.255.255 - network-object 210.106.193.237 255.255.255.255 - network-object 210.222.114.102 255.255.255.255 - network-object 211.144.143.143 255.255.255.255 - network-object 211.172.218.237 255.255.255.255 - network-object 211.250.16.132 255.255.255.255 - network-object 212.21.241.31 255.255.255.255 - network-object 212.100.212.100 255.255.255.255 - network-object 218.18.72.252 255.255.255.255 - network-object 218.39.114.122 255.255.255.255 - network-object 218.55.115.43 255.255.255.255 - network-object 218.104.138.146 255.255.255.255 - network-object 219.132.104.160 255.255.255.255 - network-object 220.71.17.86 255.255.255.255 - network-object 220.81.50.105 255.255.255.255 - network-object 220.91.99.46 255.255.255.255 - network-object 221.14.249.242 255.255.255.255 - network-object 221.166.177.135 255.255.255.255 - network-object 221.198.33.38 255.255.255.255 - network-object 221.202.160.233 255.255.255.255 - network-object 221.205.54.125 255.255.255.255 - network-object 221.217.44.248 255.255.255.255 - network-object 222.100.212.223 255.255.255.255 - network-object 222.121.118.144 255.255.255.255 - network-object 222.174.113.2 255.255.255.255 -exit - -object-group network id4388CFF8674.src.net.0 network-object 58.33.181.83 255.255.255.255 network-object 58.53.82.190 255.255.255.255 network-object 58.231.13.78 255.255.255.255 @@ -214,7 +159,7 @@ access-list outside_acl_in deny tcp any object-group id4390C25825682.dst.net.0 access-list inside_acl_in deny tcp any object-group id4390C25825682.dst.net.0 eq 25 ! ! Rule 5 (global) -access-list outside_acl_in deny ip object-group id4388CFF8674.src.net.0 any log 6 interval 300 +access-list outside_acl_in deny ip object-group id4390C25825682.dst.net.0 any log 6 interval 300 ! ! Rule 6 (global) access-list outside_acl_in deny ip object-group id4390C25825682.dst.net.0 any log 6 interval 300 diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 364e08e8d..9cced03fe 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:12 2011 PST by vadim +! Generated Sat Feb 19 18:59:35 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index 6679df403..ebf87c360 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:13 2011 PST by vadim +! Generated Sat Feb 19 18:59:35 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 8bdabab74..c9ef82fc1 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:13 2011 PST by vadim +! Generated Sat Feb 19 18:59:37 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index 0e82169b8..c530736d9 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:14 2011 PST by vadim +! Generated Sat Feb 19 18:59:37 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 33448e647..803a037ec 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:14 2011 PST by vadim +! Generated Sat Feb 19 18:59:38 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index c1b991bcf..003747fb1 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:15 2011 PST by vadim +! Generated Sat Feb 19 16:27:54 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 1504d479f..70a8b5901 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:15 2011 PST by vadim +! Generated Sat Feb 19 16:27:55 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 8d7599bd5..890b894b7 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:16 2011 PST by vadim +! Generated Sat Feb 19 16:27:55 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index e8fb7e339..caf7a4358 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:16 2011 PST by vadim +! Generated Sat Feb 19 18:59:41 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index 06ec3c5c4..20bbff0e4 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:17 2011 PST by vadim +! Generated Sat Feb 19 16:27:56 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index e647cbf83..4372a022b 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:17 2011 PST by vadim +! Generated Sat Feb 19 16:27:57 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index 2d52c2e17..00a2442a3 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:18 2011 PST by vadim +! Generated Sat Feb 19 16:27:57 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index 83499f079..06def267d 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:18 2011 PST by vadim +! Generated Sat Feb 19 16:27:58 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall94.fw.orig b/test/pix/firewall94.fw.orig index a231522e6..af08dd4a9 100755 --- a/test/pix/firewall94.fw.orig +++ b/test/pix/firewall94.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:18 2011 PST by vadim +! Generated Sat Feb 19 18:59:45 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index 68eb72ec7..f5beadbfb 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:19 2011 PST by vadim +! Generated Sat Feb 19 18:59:46 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index cd8979b64..f8ea32176 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:20 2011 PST by vadim +! Generated Sat Feb 19 18:59:46 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index 5e3c1b8a3..f4150e9d1 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -1,6 +1,6 @@ - + @@ -51,9 +51,9 @@ - + + @@ -69,9 +69,9 @@ - + + @@ -100,17 +100,17 @@ - + established - + established -m state --state ESTABLISHED,RELATED established - + established - + established -m state --state ESTABLISHED,RELATED established @@ -318,6 +318,12 @@ + + + + + + @@ -360,54 +366,54 @@ - - - - + + + + -m record_rpc - - - + + + - - - - + + + + -m irc - - - + + + - - - - + + + + -m psd --psd-weight-threshold 5 --psd-delay-threshold 10000 - - - + + + - - - - + + + + -m string --string test_pattern - - - + + + - - - - + + + + -m talk - - - + + + @@ -568,9 +574,9 @@ - + + @@ -637,9 +643,9 @@ - + + @@ -655,9 +661,9 @@ - + + @@ -672,9 +678,9 @@ - + + @@ -690,9 +696,9 @@ - + + @@ -708,9 +714,9 @@ - + + @@ -726,9 +732,9 @@ - + + @@ -744,9 +750,9 @@ - + + @@ -776,9 +782,9 @@ - + + @@ -794,9 +800,9 @@ - + + @@ -812,9 +818,9 @@ - + + @@ -830,9 +836,9 @@ - + + @@ -848,9 +854,9 @@ - + + @@ -866,9 +872,9 @@ - + + @@ -884,9 +890,9 @@ - + + @@ -898,9 +904,9 @@ - + + @@ -932,9 +938,9 @@ - + + @@ -949,9 +955,9 @@ - + + @@ -966,9 +972,9 @@ - + + @@ -997,9 +1003,9 @@ - + + @@ -1061,9 +1067,9 @@ - + + @@ -1079,9 +1085,9 @@ - + + @@ -1096,9 +1102,9 @@ - + + @@ -1113,9 +1119,9 @@ - + + @@ -1176,9 +1182,9 @@ - + + @@ -1195,9 +1201,9 @@ - + + @@ -1373,31 +1379,31 @@ - - + + -m ip_conntrack_talk -m ip_nat_talk - - - - - - + + + + + + tcp destination neq 8080 - - + + - - - - - - + + + + + + neq 8080 - - + + @@ -1405,7 +1411,7 @@ - + @@ -1424,12 +1430,15 @@ - - - + + + + + + - + @@ -1448,12 +1457,15 @@ - - - + + + + + + - + @@ -1472,12 +1484,15 @@ - - - + + + + + + - + @@ -1496,12 +1511,15 @@ - - - + + + + + + - + @@ -1520,12 +1538,15 @@ - - - + + + + + + - + @@ -1544,12 +1565,15 @@ - - - + + + + + + - + @@ -1568,12 +1592,15 @@ - - - + + + + + + - + @@ -1592,12 +1619,15 @@ - - - + + + + + + - + @@ -1620,12 +1650,15 @@ - - - + + + + + + - + @@ -1644,12 +1677,15 @@ - - - + + + + + + - + @@ -1668,12 +1704,15 @@ - - - + + + + + + - + @@ -1692,12 +1731,15 @@ - - - + + + + + + - + @@ -1716,15 +1758,18 @@ - - - + + + + + + - + @@ -1744,7 +1789,7 @@ - + @@ -1764,7 +1809,7 @@ - + @@ -1782,7 +1827,7 @@ - + @@ -1801,7 +1846,7 @@ - + @@ -1816,7 +1861,7 @@ - + @@ -1832,7 +1877,7 @@ - + @@ -1852,7 +1897,7 @@ - + @@ -1871,14 +1916,14 @@ - - + - + @@ -1896,7 +1941,7 @@ - + @@ -1913,13 +1958,13 @@ - + - - + @@ -1937,14 +1982,14 @@ - - + - + @@ -1964,7 +2009,7 @@ - + @@ -1983,13 +2028,13 @@ - + - - + @@ -2007,7 +2052,7 @@ - + @@ -2025,7 +2070,7 @@ - + @@ -2044,7 +2089,7 @@ - + @@ -2062,13 +2107,13 @@ - + - - + @@ -2086,13 +2131,13 @@ - + - - + @@ -2110,13 +2155,13 @@ - + - - + @@ -2136,13 +2181,13 @@ - + - - + @@ -2160,7 +2205,7 @@ - + @@ -2177,13 +2222,13 @@ - + - - + @@ -2200,13 +2245,13 @@ - + - - + @@ -2224,7 +2269,7 @@ - + @@ -2242,13 +2287,13 @@ - + - - + @@ -2265,18 +2310,18 @@ - + - + - + @@ -2407,12 +2452,12 @@ - + - @@ -2421,8 +2466,8 @@ - + @@ -2439,9 +2484,9 @@ - + + @@ -2454,7 +2499,7 @@ - @@ -2468,7 +2513,7 @@ - @@ -2492,7 +2537,7 @@ - @@ -2514,9 +2559,9 @@ - - - + @@ -2598,11 +2643,11 @@ - + + - @@ -2623,7 +2668,7 @@ - + @@ -2642,12 +2687,15 @@ - - - + + + + + + - + @@ -2666,9 +2714,12 @@ - - - + + + + + + @@ -2691,9 +2742,12 @@ - - - + + + + + + @@ -2716,9 +2770,12 @@ - - - + + + + + + @@ -2742,12 +2799,15 @@ - - - + + + + + + - + @@ -2767,15 +2827,18 @@ - - - + + + + + + - + @@ -2792,7 +2855,7 @@ - + @@ -2812,7 +2875,7 @@ - + @@ -2830,7 +2893,7 @@ - + @@ -2848,7 +2911,7 @@ - + @@ -2868,7 +2931,7 @@ - + @@ -2888,7 +2951,7 @@ - + @@ -2909,7 +2972,7 @@ - + @@ -2929,7 +2992,7 @@ - + @@ -2949,7 +3012,7 @@ - + @@ -2968,7 +3031,7 @@ - + @@ -2989,7 +3052,7 @@ - + @@ -3007,7 +3070,7 @@ - + @@ -3025,14 +3088,14 @@ - - - + @@ -3053,7 +3116,7 @@ - + @@ -3074,7 +3137,7 @@ - + @@ -3096,7 +3159,7 @@ - + @@ -3118,7 +3181,7 @@ - + @@ -3138,7 +3201,7 @@ - + @@ -3158,7 +3221,7 @@ - + @@ -3176,7 +3239,7 @@ - + @@ -3223,17 +3286,17 @@ - + - - + + @@ -3245,7 +3308,7 @@ - @@ -3270,7 +3333,7 @@ - @@ -3281,14 +3344,14 @@ - - - - @@ -3311,12 +3374,12 @@ - + - + + @@ -3343,17 +3406,17 @@ - + + + - + @@ -3372,12 +3435,15 @@ - - - + + + + + + - + @@ -3397,12 +3463,15 @@ - - - + + + + + + - + @@ -3421,12 +3490,15 @@ - - - + + + + + + - + @@ -3445,12 +3517,15 @@ - - - + + + + + + - + @@ -3469,12 +3544,15 @@ - - - + + + + + + - + @@ -3494,12 +3572,15 @@ - - - + + + + + + - + @@ -3519,12 +3600,15 @@ - - - + + + + + + - + @@ -3544,12 +3628,15 @@ - - - + + + + + + - + @@ -3569,12 +3656,15 @@ - - - + + + + + + - + @@ -3594,12 +3684,15 @@ - - - + + + + + + - + @@ -3619,12 +3712,15 @@ - - - + + + + + + - + @@ -3643,12 +3739,15 @@ - - - + + + + + + - + @@ -3667,15 +3766,18 @@ - - - + + + + + + - + @@ -3695,7 +3797,7 @@ - + @@ -3712,7 +3814,7 @@ - + @@ -3730,7 +3832,7 @@ - + @@ -3749,7 +3851,7 @@ - + @@ -3764,7 +3866,7 @@ - + @@ -3780,7 +3882,7 @@ - + @@ -3800,7 +3902,7 @@ - + @@ -3818,7 +3920,7 @@ - + @@ -3835,13 +3937,13 @@ - + - - + @@ -3859,14 +3961,14 @@ - - + - + @@ -3886,7 +3988,7 @@ - + @@ -3905,13 +4007,13 @@ - + - - + @@ -3929,7 +4031,7 @@ - + @@ -3947,7 +4049,7 @@ - + @@ -3965,13 +4067,13 @@ - + - - + @@ -3989,13 +4091,13 @@ - + - - + @@ -4013,13 +4115,13 @@ - + - - + @@ -4036,13 +4138,13 @@ - + - - + @@ -4059,13 +4161,13 @@ - + - - + @@ -4084,7 +4186,7 @@ - + @@ -4102,7 +4204,7 @@ - + @@ -4120,13 +4222,13 @@ - + - - + @@ -4143,11 +4245,11 @@ - + - + @@ -4180,13 +4282,13 @@ - - @@ -4199,9 +4301,9 @@ - + + @@ -4213,7 +4315,7 @@ - @@ -4241,7 +4343,7 @@ - @@ -4254,8 +4356,8 @@ - + @@ -4320,7 +4422,7 @@ - @@ -4330,9 +4432,9 @@ - + + @@ -4352,7 +4454,7 @@ - + @@ -4371,12 +4473,15 @@ - - - + + + + + + - + @@ -4396,12 +4501,15 @@ - - - + + + + + + - + @@ -4421,12 +4529,15 @@ - - - + + + + + + - + @@ -4445,12 +4556,15 @@ - - - + + + + + + - + @@ -4469,12 +4583,15 @@ - - - + + + + + + - + @@ -4493,15 +4610,18 @@ - - - + + + + + + - + @@ -4519,7 +4639,7 @@ - + @@ -4537,7 +4657,7 @@ - + @@ -4557,7 +4677,7 @@ - + @@ -4575,7 +4695,7 @@ - + @@ -4619,11 +4739,11 @@ - + - + @@ -4648,7 +4768,7 @@ - @@ -4667,7 +4787,7 @@ - @@ -4717,8 +4837,8 @@ no sysopt nodnsalias outbound - + @@ -4753,9 +4873,9 @@ no sysopt nodnsalias outbound - + + @@ -4775,7 +4895,7 @@ no sysopt nodnsalias outbound - + @@ -4794,12 +4914,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -4818,15 +4941,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -4844,7 +4970,7 @@ no sysopt nodnsalias outbound - + @@ -4862,7 +4988,7 @@ no sysopt nodnsalias outbound - + @@ -4880,7 +5006,7 @@ no sysopt nodnsalias outbound - + @@ -4941,7 +5067,7 @@ no sysopt nodnsalias outbound - + @@ -4987,8 +5113,8 @@ no sysopt nodnsalias outbound - + @@ -5027,7 +5153,7 @@ no sysopt nodnsalias outbound - @@ -5038,18 +5164,18 @@ no sysopt nodnsalias outbound - - - - + - @@ -5076,7 +5202,7 @@ no sysopt nodnsalias outbound - @@ -5119,10 +5245,10 @@ no sysopt nodnsalias outbound - - @@ -5140,7 +5266,7 @@ no sysopt nodnsalias outbound - + @@ -5159,12 +5285,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5183,12 +5312,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5207,12 +5339,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5231,12 +5366,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5256,12 +5394,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5280,12 +5421,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5304,12 +5448,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5330,15 +5477,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5356,7 +5506,7 @@ no sysopt nodnsalias outbound - + @@ -5396,8 +5546,8 @@ no sysopt nodnsalias outbound - + @@ -5423,7 +5573,7 @@ no sysopt nodnsalias outbound - @@ -5434,11 +5584,11 @@ no sysopt nodnsalias outbound - - - @@ -5472,8 +5622,8 @@ no sysopt nodnsalias outbound - + @@ -5501,9 +5651,9 @@ no sysopt nodnsalias outbound - + + @@ -5521,7 +5671,7 @@ no sysopt nodnsalias outbound - + @@ -5540,12 +5690,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5564,12 +5717,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5588,15 +5744,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5614,7 +5773,7 @@ no sysopt nodnsalias outbound - + @@ -5654,8 +5813,8 @@ no sysopt nodnsalias outbound - + @@ -5681,7 +5840,7 @@ no sysopt nodnsalias outbound - @@ -5692,15 +5851,15 @@ no sysopt nodnsalias outbound - - - - @@ -5723,8 +5882,8 @@ no sysopt nodnsalias outbound - + @@ -5752,9 +5911,9 @@ no sysopt nodnsalias outbound - + + @@ -5772,7 +5931,7 @@ no sysopt nodnsalias outbound - + @@ -5791,12 +5950,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5815,12 +5977,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5839,14 +6004,17 @@ no sysopt nodnsalias outbound - - - + + + + + + - - + @@ -5866,12 +6034,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5890,12 +6061,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5914,12 +6088,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -5938,14 +6115,17 @@ no sysopt nodnsalias outbound - - - + + + + + + - - + @@ -5964,14 +6144,17 @@ no sysopt nodnsalias outbound - - - + + + + + + - - + @@ -5990,14 +6173,17 @@ no sysopt nodnsalias outbound - - - + + + + + + - - + @@ -6016,12 +6202,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6040,12 +6229,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6064,12 +6256,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6088,12 +6283,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6112,12 +6310,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6136,9 +6337,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -6163,12 +6367,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6187,12 +6394,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6211,9 +6421,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -6235,12 +6448,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6259,12 +6475,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6283,12 +6502,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6307,12 +6529,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6331,12 +6556,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6355,12 +6583,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6379,12 +6610,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6403,12 +6637,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6427,12 +6664,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6451,12 +6691,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6475,12 +6718,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6499,12 +6745,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6523,15 +6772,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -6546,14 +6798,14 @@ no sysopt nodnsalias outbound - + - + @@ -6568,14 +6820,14 @@ no sysopt nodnsalias outbound - + - + @@ -6594,7 +6846,7 @@ no sysopt nodnsalias outbound - + @@ -6613,7 +6865,7 @@ no sysopt nodnsalias outbound - + @@ -6632,7 +6884,7 @@ no sysopt nodnsalias outbound - + @@ -6652,7 +6904,7 @@ no sysopt nodnsalias outbound - + @@ -6700,17 +6952,17 @@ no sysopt nodnsalias outbound - - - - + + @@ -6749,7 +7001,7 @@ no sysopt nodnsalias outbound - @@ -6757,7 +7009,7 @@ no sysopt nodnsalias outbound - @@ -6795,10 +7047,10 @@ no sysopt nodnsalias outbound - + + + @@ -6808,7 +7060,7 @@ no sysopt nodnsalias outbound - + @@ -6826,7 +7078,7 @@ no sysopt nodnsalias outbound - + @@ -6844,7 +7096,7 @@ no sysopt nodnsalias outbound - + @@ -6862,7 +7114,7 @@ no sysopt nodnsalias outbound - + @@ -6880,7 +7132,7 @@ no sysopt nodnsalias outbound - + @@ -6898,7 +7150,7 @@ no sysopt nodnsalias outbound - + @@ -6916,7 +7168,7 @@ no sysopt nodnsalias outbound - + @@ -6934,7 +7186,7 @@ no sysopt nodnsalias outbound - + @@ -6952,7 +7204,7 @@ no sysopt nodnsalias outbound - + @@ -6970,7 +7222,7 @@ no sysopt nodnsalias outbound - + @@ -6988,7 +7240,7 @@ no sysopt nodnsalias outbound - + @@ -7006,7 +7258,7 @@ no sysopt nodnsalias outbound - + @@ -7024,7 +7276,7 @@ no sysopt nodnsalias outbound - + @@ -7042,7 +7294,7 @@ no sysopt nodnsalias outbound - + @@ -7060,7 +7312,7 @@ no sysopt nodnsalias outbound - + @@ -7107,24 +7359,24 @@ no sysopt nodnsalias outbound - + - - - + + @@ -7164,7 +7416,7 @@ no sysopt nodnsalias outbound - @@ -7175,7 +7427,7 @@ no sysopt nodnsalias outbound - @@ -7195,9 +7447,9 @@ no sysopt nodnsalias outbound - + + @@ -7220,16 +7472,16 @@ no sysopt nodnsalias outbound - - + + @@ -7249,7 +7501,7 @@ no sysopt nodnsalias outbound - + @@ -7268,12 +7520,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -7292,12 +7547,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -7316,15 +7574,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -7341,10 +7602,10 @@ no sysopt nodnsalias outbound - - + @@ -7362,10 +7623,10 @@ no sysopt nodnsalias outbound - - + @@ -7383,10 +7644,10 @@ no sysopt nodnsalias outbound - - + @@ -7403,10 +7664,10 @@ no sysopt nodnsalias outbound - - + @@ -7423,7 +7684,7 @@ no sysopt nodnsalias outbound - @@ -7458,24 +7719,24 @@ no sysopt nodnsalias outbound - + - - - + + @@ -7487,7 +7748,7 @@ no sysopt nodnsalias outbound - @@ -7503,36 +7764,36 @@ no sysopt nodnsalias outbound - - - + + - - + + @@ -7551,7 +7812,7 @@ no sysopt nodnsalias outbound - + @@ -7570,12 +7831,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -7594,12 +7858,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -7618,12 +7885,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -7642,15 +7912,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -7667,7 +7940,7 @@ no sysopt nodnsalias outbound - + @@ -7714,23 +7987,23 @@ no sysopt nodnsalias outbound - + - - + + @@ -7742,7 +8015,7 @@ no sysopt nodnsalias outbound - @@ -7758,7 +8031,7 @@ no sysopt nodnsalias outbound - @@ -7770,7 +8043,7 @@ no sysopt nodnsalias outbound - @@ -7786,16 +8059,16 @@ no sysopt nodnsalias outbound - - + + @@ -7815,7 +8088,7 @@ no sysopt nodnsalias outbound - + @@ -7834,12 +8107,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -7858,15 +8134,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -7884,7 +8163,7 @@ no sysopt nodnsalias outbound - + @@ -7902,7 +8181,7 @@ no sysopt nodnsalias outbound - + @@ -7920,7 +8199,7 @@ no sysopt nodnsalias outbound - + @@ -7963,23 +8242,23 @@ no sysopt nodnsalias outbound - + - - + + @@ -7991,7 +8270,7 @@ no sysopt nodnsalias outbound - @@ -8006,10 +8285,10 @@ no sysopt nodnsalias outbound - - @@ -8018,13 +8297,13 @@ no sysopt nodnsalias outbound - - + + @@ -8044,7 +8323,7 @@ no sysopt nodnsalias outbound - + @@ -8064,12 +8343,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -8088,12 +8370,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -8112,12 +8397,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -8136,12 +8424,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -8160,12 +8451,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -8184,12 +8478,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -8208,15 +8505,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -8234,7 +8534,7 @@ no sysopt nodnsalias outbound - + @@ -8252,7 +8552,7 @@ no sysopt nodnsalias outbound - + @@ -8296,8 +8596,8 @@ no sysopt nodnsalias outbound - + @@ -8338,7 +8638,7 @@ no sysopt nodnsalias outbound - @@ -8349,11 +8649,11 @@ no sysopt nodnsalias outbound - - - @@ -8388,8 +8688,8 @@ no sysopt nodnsalias outbound - + @@ -8424,9 +8724,9 @@ no sysopt nodnsalias outbound - + + @@ -8473,8 +8773,8 @@ no sysopt nodnsalias outbound - + @@ -8510,7 +8810,7 @@ no sysopt nodnsalias outbound - @@ -8521,11 +8821,11 @@ no sysopt nodnsalias outbound - - - @@ -8559,8 +8859,8 @@ no sysopt nodnsalias outbound - + @@ -8594,9 +8894,9 @@ no sysopt nodnsalias outbound - + + @@ -8617,7 +8917,7 @@ no sysopt nodnsalias outbound - + @@ -8632,7 +8932,7 @@ no sysopt nodnsalias outbound - + @@ -8647,7 +8947,7 @@ no sysopt nodnsalias outbound - + @@ -8662,7 +8962,7 @@ no sysopt nodnsalias outbound - + @@ -8677,7 +8977,7 @@ no sysopt nodnsalias outbound - + @@ -8697,7 +8997,7 @@ no sysopt nodnsalias outbound - + @@ -8720,7 +9020,7 @@ no sysopt nodnsalias outbound - + @@ -8738,7 +9038,7 @@ no sysopt nodnsalias outbound - + @@ -8781,17 +9081,17 @@ no sysopt nodnsalias outbound - + - - + + @@ -8801,9 +9101,9 @@ no sysopt nodnsalias outbound - - @@ -8812,17 +9112,17 @@ no sysopt nodnsalias outbound - + + + - + @@ -8841,12 +9141,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -8865,15 +9168,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -8891,7 +9197,7 @@ no sysopt nodnsalias outbound - + @@ -8909,7 +9215,7 @@ no sysopt nodnsalias outbound - + @@ -8927,7 +9233,7 @@ no sysopt nodnsalias outbound - + @@ -8945,7 +9251,7 @@ no sysopt nodnsalias outbound - + @@ -8986,11 +9292,11 @@ no sysopt nodnsalias outbound - + - + @@ -9012,13 +9318,13 @@ no sysopt nodnsalias outbound - - - @@ -9037,7 +9343,7 @@ no sysopt nodnsalias outbound - @@ -9057,10 +9363,10 @@ no sysopt nodnsalias outbound - + - @@ -9087,7 +9393,7 @@ no sysopt nodnsalias outbound - @@ -9131,12 +9437,12 @@ no sysopt nodnsalias outbound - - - @@ -9153,7 +9459,7 @@ no sysopt nodnsalias outbound - + @@ -9173,15 +9479,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9403,7 +9712,7 @@ no sysopt nodnsalias outbound - + @@ -9422,12 +9731,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9446,12 +9758,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9470,12 +9785,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9494,12 +9812,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9518,12 +9839,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9542,12 +9866,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9566,12 +9893,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9590,12 +9920,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9618,12 +9951,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9642,12 +9978,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9666,12 +10005,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9690,12 +10032,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9714,15 +10059,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -9742,7 +10090,7 @@ no sysopt nodnsalias outbound - + @@ -9759,7 +10107,7 @@ no sysopt nodnsalias outbound - + @@ -9777,7 +10125,7 @@ no sysopt nodnsalias outbound - + @@ -9796,7 +10144,7 @@ no sysopt nodnsalias outbound - + @@ -9811,7 +10159,7 @@ no sysopt nodnsalias outbound - + @@ -9827,7 +10175,7 @@ no sysopt nodnsalias outbound - + @@ -9847,7 +10195,7 @@ no sysopt nodnsalias outbound - + @@ -9866,14 +10214,14 @@ no sysopt nodnsalias outbound - - + - + @@ -9891,7 +10239,7 @@ no sysopt nodnsalias outbound - + @@ -9908,13 +10256,13 @@ no sysopt nodnsalias outbound - + - - + @@ -9932,14 +10280,14 @@ no sysopt nodnsalias outbound - - + - + @@ -9959,7 +10307,7 @@ no sysopt nodnsalias outbound - + @@ -9978,13 +10326,13 @@ no sysopt nodnsalias outbound - + - - + @@ -10002,7 +10350,7 @@ no sysopt nodnsalias outbound - + @@ -10020,7 +10368,7 @@ no sysopt nodnsalias outbound - + @@ -10039,7 +10387,7 @@ no sysopt nodnsalias outbound - + @@ -10057,13 +10405,13 @@ no sysopt nodnsalias outbound - + - - + @@ -10081,13 +10429,13 @@ no sysopt nodnsalias outbound - + - - + @@ -10105,13 +10453,13 @@ no sysopt nodnsalias outbound - + - - + @@ -10130,13 +10478,13 @@ no sysopt nodnsalias outbound - + - - + @@ -10154,7 +10502,7 @@ no sysopt nodnsalias outbound - + @@ -10171,13 +10519,13 @@ no sysopt nodnsalias outbound - + - - + @@ -10194,13 +10542,13 @@ no sysopt nodnsalias outbound - + - - + @@ -10218,7 +10566,7 @@ no sysopt nodnsalias outbound - + @@ -10236,13 +10584,13 @@ no sysopt nodnsalias outbound - + - - + @@ -10259,11 +10607,11 @@ no sysopt nodnsalias outbound - + - + @@ -10293,12 +10641,12 @@ no sysopt nodnsalias outbound - + - @@ -10307,7 +10655,7 @@ no sysopt nodnsalias outbound - @@ -10324,9 +10672,9 @@ no sysopt nodnsalias outbound - + + @@ -10338,12 +10686,12 @@ no sysopt nodnsalias outbound - - @@ -10352,7 +10700,7 @@ no sysopt nodnsalias outbound - @@ -10376,7 +10724,7 @@ no sysopt nodnsalias outbound - @@ -10397,9 +10745,9 @@ no sysopt nodnsalias outbound - - - @@ -10478,11 +10826,11 @@ no sysopt nodnsalias outbound - + + - @@ -10502,7 +10850,7 @@ no sysopt nodnsalias outbound - + @@ -10521,12 +10869,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -10545,12 +10896,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -10569,12 +10923,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -10594,12 +10951,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -10619,15 +10979,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -10648,7 +11011,7 @@ no sysopt nodnsalias outbound - + @@ -10666,7 +11029,7 @@ no sysopt nodnsalias outbound - + @@ -10684,7 +11047,7 @@ no sysopt nodnsalias outbound - + @@ -10702,7 +11065,7 @@ no sysopt nodnsalias outbound - + @@ -10720,7 +11083,7 @@ no sysopt nodnsalias outbound - + @@ -10740,7 +11103,7 @@ no sysopt nodnsalias outbound - + @@ -10760,7 +11123,7 @@ no sysopt nodnsalias outbound - + @@ -10778,7 +11141,7 @@ no sysopt nodnsalias outbound - + @@ -10796,7 +11159,7 @@ no sysopt nodnsalias outbound - + @@ -10815,7 +11178,7 @@ no sysopt nodnsalias outbound - + @@ -10834,7 +11197,7 @@ no sysopt nodnsalias outbound - + @@ -10875,50 +11238,50 @@ no sysopt nodnsalias outbound - + + - + - + - + + - + + + + + + + + + + + + + + + - + + + @@ -10932,20 +11295,20 @@ no sysopt nodnsalias outbound - - - - + + + + @@ -10958,7 +11321,7 @@ no sysopt nodnsalias outbound - + @@ -10977,12 +11340,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11001,15 +11367,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11027,7 +11396,7 @@ no sysopt nodnsalias outbound - + @@ -11045,7 +11414,7 @@ no sysopt nodnsalias outbound - + @@ -11065,7 +11434,7 @@ no sysopt nodnsalias outbound - + @@ -11086,7 +11455,7 @@ no sysopt nodnsalias outbound - + @@ -11107,7 +11476,7 @@ no sysopt nodnsalias outbound - + @@ -11127,7 +11496,7 @@ no sysopt nodnsalias outbound - + @@ -11148,7 +11517,7 @@ no sysopt nodnsalias outbound - + @@ -11189,7 +11558,7 @@ no sysopt nodnsalias outbound - + @@ -11208,7 +11577,7 @@ no sysopt nodnsalias outbound - + @@ -11226,7 +11595,7 @@ no sysopt nodnsalias outbound - + @@ -11244,7 +11613,7 @@ no sysopt nodnsalias outbound - + @@ -11285,50 +11654,50 @@ no sysopt nodnsalias outbound - + + - + - + - + + - + + + + + + + + + + + + + + + - + + + @@ -11342,20 +11711,20 @@ no sysopt nodnsalias outbound - - - - + + + + @@ -11368,7 +11737,7 @@ no sysopt nodnsalias outbound - + @@ -11387,12 +11756,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11411,12 +11783,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11435,12 +11810,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11459,12 +11837,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11483,12 +11864,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11507,12 +11891,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11531,12 +11918,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11555,12 +11945,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11579,12 +11972,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11603,12 +11999,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11627,12 +12026,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11655,12 +12057,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11679,12 +12084,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11703,12 +12111,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11727,12 +12138,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11751,15 +12165,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -11779,7 +12196,7 @@ no sysopt nodnsalias outbound - + @@ -11796,7 +12213,7 @@ no sysopt nodnsalias outbound - + @@ -11814,7 +12231,7 @@ no sysopt nodnsalias outbound - + @@ -11833,7 +12250,7 @@ no sysopt nodnsalias outbound - + @@ -11848,7 +12265,7 @@ no sysopt nodnsalias outbound - + @@ -11864,7 +12281,7 @@ no sysopt nodnsalias outbound - + @@ -11884,7 +12301,7 @@ no sysopt nodnsalias outbound - + @@ -11903,14 +12320,14 @@ no sysopt nodnsalias outbound - - + - + @@ -11928,7 +12345,7 @@ no sysopt nodnsalias outbound - + @@ -11947,7 +12364,7 @@ no sysopt nodnsalias outbound - + @@ -11965,7 +12382,7 @@ no sysopt nodnsalias outbound - + @@ -11982,13 +12399,13 @@ no sysopt nodnsalias outbound - + - - + @@ -12006,14 +12423,14 @@ no sysopt nodnsalias outbound - - + - + @@ -12033,7 +12450,7 @@ no sysopt nodnsalias outbound - + @@ -12052,13 +12469,13 @@ no sysopt nodnsalias outbound - + - - + @@ -12076,7 +12493,7 @@ no sysopt nodnsalias outbound - + @@ -12094,7 +12511,7 @@ no sysopt nodnsalias outbound - + @@ -12113,7 +12530,7 @@ no sysopt nodnsalias outbound - + @@ -12131,13 +12548,13 @@ no sysopt nodnsalias outbound - + - - + @@ -12155,13 +12572,13 @@ no sysopt nodnsalias outbound - + - - + @@ -12179,13 +12596,13 @@ no sysopt nodnsalias outbound - + - - + @@ -12204,13 +12621,13 @@ no sysopt nodnsalias outbound - + - - + @@ -12230,7 +12647,7 @@ no sysopt nodnsalias outbound - + @@ -12247,13 +12664,13 @@ no sysopt nodnsalias outbound - + - - + @@ -12270,13 +12687,13 @@ no sysopt nodnsalias outbound - + - - + @@ -12294,7 +12711,7 @@ no sysopt nodnsalias outbound - + @@ -12312,7 +12729,7 @@ no sysopt nodnsalias outbound - + @@ -12330,10 +12747,10 @@ no sysopt nodnsalias outbound - + - @@ -12356,7 +12773,7 @@ no sysopt nodnsalias outbound - + @@ -12374,11 +12791,11 @@ no sysopt nodnsalias outbound - + - + @@ -12408,12 +12825,12 @@ no sysopt nodnsalias outbound - + - @@ -12422,7 +12839,7 @@ no sysopt nodnsalias outbound - @@ -12439,9 +12856,9 @@ no sysopt nodnsalias outbound - + + @@ -12453,12 +12870,12 @@ no sysopt nodnsalias outbound - - @@ -12467,7 +12884,7 @@ no sysopt nodnsalias outbound - @@ -12491,7 +12908,7 @@ no sysopt nodnsalias outbound - @@ -12513,9 +12930,9 @@ no sysopt nodnsalias outbound - - - + @@ -12586,7 +13003,7 @@ no sysopt nodnsalias outbound - @@ -12597,11 +13014,11 @@ no sysopt nodnsalias outbound - + + - @@ -12621,7 +13038,7 @@ no sysopt nodnsalias outbound - + @@ -12640,12 +13057,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -12664,12 +13084,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -12688,12 +13111,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -12712,12 +13138,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -12736,15 +13165,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -12762,7 +13194,7 @@ no sysopt nodnsalias outbound - + @@ -12780,7 +13212,7 @@ no sysopt nodnsalias outbound - + @@ -12798,7 +13230,7 @@ no sysopt nodnsalias outbound - + @@ -12816,7 +13248,7 @@ no sysopt nodnsalias outbound - + @@ -12834,7 +13266,7 @@ no sysopt nodnsalias outbound - + @@ -12853,7 +13285,7 @@ no sysopt nodnsalias outbound - + @@ -12875,7 +13307,7 @@ no sysopt nodnsalias outbound - + @@ -12896,7 +13328,7 @@ no sysopt nodnsalias outbound - + @@ -12939,11 +13371,11 @@ no sysopt nodnsalias outbound - + - + @@ -12968,13 +13400,13 @@ no sysopt nodnsalias outbound - - - @@ -12991,7 +13423,7 @@ no sysopt nodnsalias outbound - @@ -13042,8 +13474,8 @@ no sysopt nodnsalias outbound - + @@ -13079,11 +13511,11 @@ no sysopt nodnsalias outbound - + + - @@ -13102,7 +13534,7 @@ no sysopt nodnsalias outbound - + @@ -13121,12 +13553,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13145,12 +13580,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13169,12 +13607,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13193,12 +13634,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13217,15 +13661,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13245,7 +13692,7 @@ no sysopt nodnsalias outbound - + @@ -13265,7 +13712,7 @@ no sysopt nodnsalias outbound - + @@ -13285,7 +13732,7 @@ no sysopt nodnsalias outbound - + @@ -13305,7 +13752,7 @@ no sysopt nodnsalias outbound - + @@ -13325,7 +13772,7 @@ no sysopt nodnsalias outbound - + @@ -13345,7 +13792,7 @@ no sysopt nodnsalias outbound - + @@ -13365,7 +13812,7 @@ no sysopt nodnsalias outbound - + @@ -13385,7 +13832,7 @@ no sysopt nodnsalias outbound - + @@ -13405,7 +13852,7 @@ no sysopt nodnsalias outbound - + @@ -13425,7 +13872,7 @@ no sysopt nodnsalias outbound - + @@ -13445,7 +13892,7 @@ no sysopt nodnsalias outbound - + @@ -13465,7 +13912,7 @@ no sysopt nodnsalias outbound - + @@ -13485,7 +13932,7 @@ no sysopt nodnsalias outbound - + @@ -13505,7 +13952,7 @@ no sysopt nodnsalias outbound - + @@ -13525,7 +13972,7 @@ no sysopt nodnsalias outbound - + @@ -13545,7 +13992,7 @@ no sysopt nodnsalias outbound - + @@ -13565,7 +14012,7 @@ no sysopt nodnsalias outbound - + @@ -13585,7 +14032,7 @@ no sysopt nodnsalias outbound - + @@ -13606,7 +14053,7 @@ no sysopt nodnsalias outbound - + @@ -13628,7 +14075,7 @@ no sysopt nodnsalias outbound - + @@ -13649,7 +14096,7 @@ no sysopt nodnsalias outbound - + @@ -13692,11 +14139,11 @@ no sysopt nodnsalias outbound - + - + @@ -13721,13 +14168,13 @@ no sysopt nodnsalias outbound - - - @@ -13744,7 +14191,7 @@ no sysopt nodnsalias outbound - @@ -13795,8 +14242,8 @@ no sysopt nodnsalias outbound - + @@ -13832,11 +14279,11 @@ no sysopt nodnsalias outbound - + + - @@ -13855,7 +14302,7 @@ no sysopt nodnsalias outbound - + @@ -13874,12 +14321,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13898,12 +14348,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13922,12 +14375,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13946,12 +14402,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13970,15 +14429,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -13998,7 +14460,7 @@ no sysopt nodnsalias outbound - + @@ -14018,7 +14480,7 @@ no sysopt nodnsalias outbound - + @@ -14038,7 +14500,7 @@ no sysopt nodnsalias outbound - + @@ -14058,7 +14520,7 @@ no sysopt nodnsalias outbound - + @@ -14078,7 +14540,7 @@ no sysopt nodnsalias outbound - + @@ -14098,7 +14560,7 @@ no sysopt nodnsalias outbound - + @@ -14118,7 +14580,7 @@ no sysopt nodnsalias outbound - + @@ -14138,7 +14600,7 @@ no sysopt nodnsalias outbound - + @@ -14158,7 +14620,7 @@ no sysopt nodnsalias outbound - + @@ -14178,7 +14640,7 @@ no sysopt nodnsalias outbound - + @@ -14198,7 +14660,7 @@ no sysopt nodnsalias outbound - + @@ -14218,7 +14680,7 @@ no sysopt nodnsalias outbound - + @@ -14238,7 +14700,7 @@ no sysopt nodnsalias outbound - + @@ -14258,7 +14720,7 @@ no sysopt nodnsalias outbound - + @@ -14278,7 +14740,7 @@ no sysopt nodnsalias outbound - + @@ -14298,7 +14760,7 @@ no sysopt nodnsalias outbound - + @@ -14318,7 +14780,7 @@ no sysopt nodnsalias outbound - + @@ -14338,7 +14800,7 @@ no sysopt nodnsalias outbound - + @@ -14359,7 +14821,7 @@ no sysopt nodnsalias outbound - + @@ -14381,7 +14843,7 @@ no sysopt nodnsalias outbound - + @@ -14402,7 +14864,7 @@ no sysopt nodnsalias outbound - + @@ -14445,11 +14907,11 @@ no sysopt nodnsalias outbound - + - + @@ -14474,13 +14936,13 @@ no sysopt nodnsalias outbound - - - @@ -14497,7 +14959,7 @@ no sysopt nodnsalias outbound - @@ -14548,10 +15010,10 @@ no sysopt nodnsalias outbound - + + + @@ -14587,11 +15049,11 @@ no sysopt nodnsalias outbound - + + - @@ -14610,7 +15072,7 @@ no sysopt nodnsalias outbound - + @@ -14629,12 +15091,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -14653,12 +15118,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -14677,12 +15145,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -14701,12 +15172,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -14725,15 +15199,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -14753,7 +15230,7 @@ no sysopt nodnsalias outbound - + @@ -14773,7 +15250,7 @@ no sysopt nodnsalias outbound - + @@ -14793,7 +15270,7 @@ no sysopt nodnsalias outbound - + @@ -14813,7 +15290,7 @@ no sysopt nodnsalias outbound - + @@ -14833,7 +15310,7 @@ no sysopt nodnsalias outbound - + @@ -14853,7 +15330,7 @@ no sysopt nodnsalias outbound - + @@ -14873,7 +15350,7 @@ no sysopt nodnsalias outbound - + @@ -14893,7 +15370,7 @@ no sysopt nodnsalias outbound - + @@ -14913,7 +15390,7 @@ no sysopt nodnsalias outbound - + @@ -14933,7 +15410,7 @@ no sysopt nodnsalias outbound - + @@ -14953,7 +15430,7 @@ no sysopt nodnsalias outbound - + @@ -14973,7 +15450,7 @@ no sysopt nodnsalias outbound - + @@ -14993,7 +15470,7 @@ no sysopt nodnsalias outbound - + @@ -15013,7 +15490,7 @@ no sysopt nodnsalias outbound - + @@ -15033,7 +15510,7 @@ no sysopt nodnsalias outbound - + @@ -15053,7 +15530,7 @@ no sysopt nodnsalias outbound - + @@ -15073,7 +15550,7 @@ no sysopt nodnsalias outbound - + @@ -15093,7 +15570,7 @@ no sysopt nodnsalias outbound - + @@ -15114,7 +15591,7 @@ no sysopt nodnsalias outbound - + @@ -15136,7 +15613,7 @@ no sysopt nodnsalias outbound - + @@ -15157,7 +15634,7 @@ no sysopt nodnsalias outbound - + @@ -15200,11 +15677,11 @@ no sysopt nodnsalias outbound - + - + @@ -15229,13 +15706,13 @@ no sysopt nodnsalias outbound - - - @@ -15252,7 +15729,7 @@ no sysopt nodnsalias outbound - @@ -15303,8 +15780,8 @@ no sysopt nodnsalias outbound - + @@ -15340,11 +15817,11 @@ no sysopt nodnsalias outbound - + + - @@ -15363,7 +15840,7 @@ no sysopt nodnsalias outbound - + @@ -15382,12 +15859,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15406,15 +15886,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15433,7 +15916,7 @@ no sysopt nodnsalias outbound - + @@ -15453,7 +15936,7 @@ no sysopt nodnsalias outbound - + @@ -15475,7 +15958,7 @@ no sysopt nodnsalias outbound - + @@ -15493,7 +15976,7 @@ no sysopt nodnsalias outbound - + @@ -15511,7 +15994,7 @@ no sysopt nodnsalias outbound - + @@ -15544,7 +16027,7 @@ no sysopt nodnsalias outbound - + @@ -15576,7 +16059,7 @@ no sysopt nodnsalias outbound - @@ -15619,7 +16102,7 @@ no sysopt nodnsalias outbound - @@ -15641,7 +16124,7 @@ no sysopt nodnsalias outbound - @@ -15649,14 +16132,14 @@ no sysopt nodnsalias outbound - - - @@ -15668,9 +16151,9 @@ no sysopt nodnsalias outbound - + + @@ -15695,7 +16178,7 @@ no sysopt nodnsalias outbound - @@ -15714,7 +16197,7 @@ no sysopt nodnsalias outbound - + @@ -15733,12 +16216,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15757,12 +16243,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15781,12 +16270,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15805,12 +16297,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15829,12 +16324,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15853,12 +16351,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15877,12 +16378,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15901,12 +16405,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15929,12 +16436,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15953,12 +16463,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -15977,12 +16490,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -16001,12 +16517,15 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -16025,15 +16544,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -16053,7 +16575,7 @@ no sysopt nodnsalias outbound - + @@ -16070,7 +16592,7 @@ no sysopt nodnsalias outbound - + @@ -16088,7 +16610,7 @@ no sysopt nodnsalias outbound - + @@ -16107,7 +16629,7 @@ no sysopt nodnsalias outbound - + @@ -16122,7 +16644,7 @@ no sysopt nodnsalias outbound - + @@ -16138,7 +16660,7 @@ no sysopt nodnsalias outbound - + @@ -16158,7 +16680,7 @@ no sysopt nodnsalias outbound - + @@ -16177,14 +16699,14 @@ no sysopt nodnsalias outbound - - + - + @@ -16202,7 +16724,7 @@ no sysopt nodnsalias outbound - + @@ -16219,13 +16741,13 @@ no sysopt nodnsalias outbound - + - - + @@ -16243,14 +16765,14 @@ no sysopt nodnsalias outbound - - + - + @@ -16270,7 +16792,7 @@ no sysopt nodnsalias outbound - + @@ -16289,13 +16811,13 @@ no sysopt nodnsalias outbound - + - - + @@ -16313,7 +16835,7 @@ no sysopt nodnsalias outbound - + @@ -16331,7 +16853,7 @@ no sysopt nodnsalias outbound - + @@ -16350,7 +16872,7 @@ no sysopt nodnsalias outbound - + @@ -16368,13 +16890,13 @@ no sysopt nodnsalias outbound - + - - + @@ -16392,13 +16914,13 @@ no sysopt nodnsalias outbound - + - - + @@ -16416,13 +16938,13 @@ no sysopt nodnsalias outbound - + - - + @@ -16441,13 +16963,13 @@ no sysopt nodnsalias outbound - + - - + @@ -16465,7 +16987,7 @@ no sysopt nodnsalias outbound - + @@ -16482,13 +17004,13 @@ no sysopt nodnsalias outbound - + - - + @@ -16505,13 +17027,13 @@ no sysopt nodnsalias outbound - + - - + @@ -16529,7 +17051,7 @@ no sysopt nodnsalias outbound - + @@ -16547,13 +17069,13 @@ no sysopt nodnsalias outbound - + - - + @@ -16570,11 +17092,11 @@ no sysopt nodnsalias outbound - + - + @@ -16604,12 +17126,12 @@ no sysopt nodnsalias outbound - + - @@ -16618,7 +17140,7 @@ no sysopt nodnsalias outbound - @@ -16635,9 +17157,9 @@ no sysopt nodnsalias outbound - + + @@ -16649,12 +17171,12 @@ no sysopt nodnsalias outbound - - @@ -16663,7 +17185,7 @@ no sysopt nodnsalias outbound - @@ -16687,7 +17209,7 @@ no sysopt nodnsalias outbound - @@ -16708,9 +17230,9 @@ no sysopt nodnsalias outbound - - - @@ -16789,11 +17311,11 @@ no sysopt nodnsalias outbound - + + - @@ -16813,7 +17335,7 @@ no sysopt nodnsalias outbound - + @@ -16833,15 +17355,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -17063,7 +17588,7 @@ no sysopt nodnsalias outbound - + @@ -17083,15 +17608,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -17313,7 +17841,7 @@ no sysopt nodnsalias outbound - + @@ -17333,15 +17861,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -17563,7 +18094,7 @@ no sysopt nodnsalias outbound - + @@ -17582,15 +18113,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -17610,7 +18144,7 @@ no sysopt nodnsalias outbound - + @@ -17628,7 +18162,7 @@ no sysopt nodnsalias outbound - + @@ -17646,7 +18180,7 @@ no sysopt nodnsalias outbound - + @@ -17820,7 +18354,7 @@ no sysopt nodnsalias outbound - + @@ -17862,12 +18396,12 @@ no sysopt nodnsalias outbound - + - + @@ -17876,8 +18410,8 @@ no sysopt nodnsalias outbound - + @@ -17894,9 +18428,9 @@ no sysopt nodnsalias outbound - + + @@ -17913,22 +18447,22 @@ no sysopt nodnsalias outbound - - - - @@ -17940,7 +18474,7 @@ no sysopt nodnsalias outbound - @@ -17956,7 +18490,7 @@ no sysopt nodnsalias outbound - @@ -17964,10 +18498,10 @@ no sysopt nodnsalias outbound - + + + @@ -17980,8 +18514,8 @@ no sysopt nodnsalias outbound - + @@ -17993,11 +18527,11 @@ no sysopt nodnsalias outbound - + + - @@ -18019,7 +18553,7 @@ no sysopt nodnsalias outbound - + @@ -18038,9 +18572,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -18170,7 +18707,7 @@ no sysopt nodnsalias outbound - + @@ -18212,12 +18749,12 @@ no sysopt nodnsalias outbound - + - + @@ -18226,8 +18763,8 @@ no sysopt nodnsalias outbound - + @@ -18244,9 +18781,9 @@ no sysopt nodnsalias outbound - + + @@ -18263,22 +18800,22 @@ no sysopt nodnsalias outbound - - - - @@ -18290,7 +18827,7 @@ no sysopt nodnsalias outbound - @@ -18306,7 +18843,7 @@ no sysopt nodnsalias outbound - @@ -18314,10 +18851,10 @@ no sysopt nodnsalias outbound - + + + @@ -18330,8 +18867,8 @@ no sysopt nodnsalias outbound - + @@ -18343,11 +18880,11 @@ no sysopt nodnsalias outbound - + + - @@ -18369,7 +18906,7 @@ no sysopt nodnsalias outbound - + @@ -18388,9 +18925,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -18477,7 +19017,7 @@ no sysopt nodnsalias outbound - + @@ -18519,12 +19059,12 @@ no sysopt nodnsalias outbound - + - + @@ -18533,8 +19073,8 @@ no sysopt nodnsalias outbound - + @@ -18551,9 +19091,9 @@ no sysopt nodnsalias outbound - + + @@ -18570,22 +19110,22 @@ no sysopt nodnsalias outbound - - - - @@ -18597,7 +19137,7 @@ no sysopt nodnsalias outbound - @@ -18613,7 +19153,7 @@ no sysopt nodnsalias outbound - @@ -18621,10 +19161,10 @@ no sysopt nodnsalias outbound - + + + @@ -18637,8 +19177,8 @@ no sysopt nodnsalias outbound - + @@ -18650,11 +19190,11 @@ no sysopt nodnsalias outbound - + + - @@ -18676,7 +19216,7 @@ no sysopt nodnsalias outbound - + @@ -18695,9 +19235,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -18784,7 +19327,7 @@ no sysopt nodnsalias outbound - + @@ -18826,12 +19369,12 @@ no sysopt nodnsalias outbound - + - + @@ -18840,8 +19383,8 @@ no sysopt nodnsalias outbound - + @@ -18858,9 +19401,9 @@ no sysopt nodnsalias outbound - + + @@ -18877,22 +19420,22 @@ no sysopt nodnsalias outbound - - - - @@ -18904,7 +19447,7 @@ no sysopt nodnsalias outbound - @@ -18920,7 +19463,7 @@ no sysopt nodnsalias outbound - @@ -18928,10 +19471,10 @@ no sysopt nodnsalias outbound - + + + @@ -18944,8 +19487,8 @@ no sysopt nodnsalias outbound - + @@ -18957,11 +19500,11 @@ no sysopt nodnsalias outbound - + + - @@ -18983,7 +19526,7 @@ no sysopt nodnsalias outbound - + @@ -19002,9 +19545,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19026,9 +19572,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19050,9 +19599,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19075,9 +19627,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19101,9 +19656,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19128,9 +19686,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19154,9 +19715,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19180,9 +19744,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19208,9 +19775,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19235,9 +19805,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19261,9 +19834,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19287,9 +19863,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19313,9 +19892,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19341,9 +19923,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19369,9 +19954,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19397,9 +19985,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19427,9 +20018,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19457,9 +20051,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19487,9 +20084,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19517,9 +20117,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19547,9 +20150,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19574,9 +20180,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19604,9 +20213,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19637,9 +20249,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19663,9 +20278,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19687,9 +20305,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -19765,7 +20386,7 @@ no sysopt nodnsalias outbound - + @@ -19808,12 +20429,12 @@ no sysopt nodnsalias outbound - + - + @@ -19822,8 +20443,8 @@ no sysopt nodnsalias outbound - + @@ -19840,9 +20461,9 @@ no sysopt nodnsalias outbound - + + @@ -19859,22 +20480,22 @@ no sysopt nodnsalias outbound - - - - @@ -19886,7 +20507,7 @@ no sysopt nodnsalias outbound - @@ -19902,7 +20523,7 @@ no sysopt nodnsalias outbound - @@ -19910,10 +20531,10 @@ no sysopt nodnsalias outbound - + + + @@ -19926,8 +20547,8 @@ no sysopt nodnsalias outbound - + @@ -19939,11 +20560,11 @@ no sysopt nodnsalias outbound - + + - @@ -19984,9 +20605,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20008,9 +20632,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20032,9 +20659,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20056,9 +20686,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20080,9 +20713,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20104,9 +20740,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20128,9 +20767,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20152,9 +20794,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20177,9 +20822,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20202,9 +20850,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20226,9 +20877,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20252,9 +20906,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20278,9 +20935,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20304,9 +20964,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20330,9 +20993,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20356,9 +21022,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20383,9 +21052,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20393,7 +21065,7 @@ no sysopt nodnsalias outbound - + @@ -20436,12 +21108,12 @@ no sysopt nodnsalias outbound - + - + @@ -20450,8 +21122,8 @@ no sysopt nodnsalias outbound - + @@ -20468,9 +21140,9 @@ no sysopt nodnsalias outbound - + + @@ -20487,22 +21159,22 @@ no sysopt nodnsalias outbound - - - - @@ -20514,7 +21186,7 @@ no sysopt nodnsalias outbound - @@ -20530,7 +21202,7 @@ no sysopt nodnsalias outbound - @@ -20538,10 +21210,10 @@ no sysopt nodnsalias outbound - + + + @@ -20554,8 +21226,8 @@ no sysopt nodnsalias outbound - + @@ -20567,11 +21239,11 @@ no sysopt nodnsalias outbound - + + - @@ -20612,9 +21284,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20636,9 +21311,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20660,9 +21338,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20685,9 +21366,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20709,15 +21393,18 @@ no sysopt nodnsalias outbound - - - + + + + + + - + @@ -20760,12 +21447,12 @@ no sysopt nodnsalias outbound - + - + @@ -20774,8 +21461,8 @@ no sysopt nodnsalias outbound - + @@ -20792,9 +21479,9 @@ no sysopt nodnsalias outbound - + + @@ -20811,22 +21498,22 @@ no sysopt nodnsalias outbound - - - - @@ -20838,7 +21525,7 @@ no sysopt nodnsalias outbound - @@ -20854,7 +21541,7 @@ no sysopt nodnsalias outbound - @@ -20862,10 +21549,10 @@ no sysopt nodnsalias outbound - + + + @@ -20878,8 +21565,8 @@ no sysopt nodnsalias outbound - + @@ -20891,11 +21578,11 @@ no sysopt nodnsalias outbound - + + - @@ -20936,9 +21623,12 @@ no sysopt nodnsalias outbound - - - + + + + + + @@ -20969,8 +21659,8 @@ no sysopt nodnsalias outbound - + @@ -20978,8 +21668,8 @@ no sysopt nodnsalias outbound - + @@ -20998,13 +21688,13 @@ no sysopt nodnsalias outbound - - - @@ -21016,7 +21706,7 @@ no sysopt nodnsalias outbound - @@ -21031,7 +21721,7 @@ no sysopt nodnsalias outbound - @@ -21041,11 +21731,11 @@ no sysopt nodnsalias outbound - - + + @@ -21056,7 +21746,7 @@ no sysopt nodnsalias outbound - @@ -21069,7 +21759,7 @@ no sysopt nodnsalias outbound - @@ -21145,6 +21835,407 @@ no sysopt nodnsalias outbound + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index 6439e6cd4..cf83b2ad9 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:20 2011 PST by vadim +! Generated Sat Feb 19 18:59:48 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 70c69fa50..47cba705d 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3470 +! Firewall Builder fwb_pix v4.2.0.3482 ! -! Generated Thu Feb 10 15:07:21 2011 PST by vadim +! Generated Sat Feb 19 18:59:48 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported