onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 02:37:16 +01:00
Code Issues Releases Wiki Activity

split unit tests to keep all nat tests separate; first crack and pix grammar to import nat

Browse Source
This commit is contained in:
Vadim Kurland 2011-03-29 23:07:50 -07:00
parent 141e80f7c1
commit 4f811091f5
30 changed files with 3368 additions and 1610 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0
# build number is like "nano" version number. I am incrementing build
# number during development cycle
#
BUILD_NUM="3513"
BUILD_NUM="3514"
VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"

2
VERSION.h
View File

@ -1,2 +1,2 @@
#define VERSION "4.2.0.3513"
#define VERSION "4.2.0.3514"
#define GENERATION "4.2"

2
packaging/fwbuilder-static-qt.spec
View File

@ -3,7 +3,7 @@
%define name fwbuilder
%define version 4.2.0.3513
%define version 4.2.0.3514
%define release 1
%if "%_vendor" == "MandrakeSoft"

2
packaging/fwbuilder.control
View File

@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
Priority: extra
Section: checkinstall
Maintainer: vadim@fwbuilder.org
Version: 4.2.0.3513-1
Version: 4.2.0.3514-1
Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
Description: Firewall Builder GUI and policy compilers

2
packaging/fwbuilder.spec
View File

@ -1,6 +1,6 @@
%define name fwbuilder
%define version 4.2.0.3513
%define version 4.2.0.3514
%define release 1
%if "%_vendor" == "MandrakeSoft"

36
src/import/PIXImporter.cpp
View File

@ -6,8 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -101,6 +99,28 @@ void PIXImporter::clear()
object_group_name = "";
object_group_comment = "";
object_group_service_protocol = "";
rule_type = NATRule::Unknown;
prenat_interface = "";
postnat_interface = "";
real_a = "";
real_nm = "";
mapped_a = "";
mapped_nm = "";
real_addr_acl = "";
mapped_port_spec = "";
real_port_spec = "";
static_max_conn = "";
static_max_emb_conn = "";
nat_num = "";
nat_a = "";
nat_nm = "";
nat_acl = "";
global_pool_num = "";
global_interface = "";
}
/*
@ -255,6 +275,18 @@ void PIXImporter::addLogging()
}
}
void PIXImporter::pushRule()
{
// assert(current_ruleset!=NULL);
if (current_rule==NULL) return;
if (rule_type == NATRule::Unknown)
IOSImporter::pushRule();
else
pushNATRule();
}
/*
* Rearrange vlan interfaces. Importer creates all interfaces as
* children of the firewall. Vlan interfaces should become

29
src/import/PIXImporter.h
View File

@ -35,6 +35,8 @@
#include "fwbuilder/libfwbuilder-config.h"
#include "fwbuilder/Logger.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/NAT.h"
#include <QString>
@ -53,6 +55,29 @@ class PIXImporter : public IOSImporter
libfwbuilder::FWObject *current_object_group;
QMap<QString,libfwbuilder::FWObject*> named_objects_registry;
// variables for the nat rules
libfwbuilder::NATRule::NATRuleTypes rule_type;
std::string prenat_interface;
std::string postnat_interface;
std::string real_a;
std::string real_nm;
std::string mapped_a;
std::string mapped_nm;
std::string real_addr_acl;
std::string mapped_port_spec;
std::string real_port_spec;
std::string static_max_conn;
std::string static_max_emb_conn;
std::string nat_num;
std::string nat_a;
std::string nat_nm;
std::string nat_acl;
std::string global_pool_num;
std::string global_interface;
PIXImporter(libfwbuilder::FWObject *lib,
std::istringstream &input,
@ -65,6 +90,10 @@ class PIXImporter : public IOSImporter
void clearTempVars();
virtual void run();
void pushPolicyRule();
void pushNATRule();
virtual void pushRule();
// this method actually adds interfaces to the firewall object
// and does final clean up.

62
src/import/PIXImporterNat.cpp Normal file
View File

@ -0,0 +1,62 @@
/*
Firewall Builder
Copyright (C) 2007 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "PIXImporter.h"
#include <ios>
#include <iostream>
#include <algorithm>
#include <memory>
#include "interfaceProperties.h"
#include "interfacePropertiesObjectFactory.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/InetAddr.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Library.h"
#include "../libgui/platforms.h"
#include <QString>
#include <QtDebug>
extern int fwbdebug;
void PIXImporter::pushNATRule()
{
}

7
src/import/import.pro
View File

@ -6,17 +6,18 @@ TEMPLATE = lib
#
SOURCES = QStringListOperators.cpp \
objectMaker.cpp \
objectMaker.cpp \
addressObjectMaker.cpp \
serviceObjectMaker.cpp \
getProtoByName.cpp \
getServByName.cpp \
getServByName.cpp \
Importer.cpp \
IOSImporter.cpp \
IOSImporterRun.cpp \
IPTImporter.cpp \
IPTImporterRun.cpp \
PIXImporter.cpp \
PIXImporterNat.cpp \
PIXImporterRun.cpp \
HEADERS = QStringListOperators.h \
@ -24,7 +25,7 @@ HEADERS = QStringListOperators.h \
addressObjectMaker.h \
serviceObjectMaker.h \
getProtoByName.h \
getServByName.h \
getServByName.h \
Importer.h \
IOSImporter.h \
IPTImporter.h \

467
src/parsers/PIXCfgLexer.cpp
View File

@ -44,136 +44,137 @@ PIXCfgLexer::PIXCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState&
void PIXCfgLexer::initLiterals()
{
literals["full"] = 117;
literals["parameter-problem"] = 84;
literals["port-object"] = 52;
literals["notifications"] = 104;
literals["duplex"] = 123;
literals["no"] = 54;
literals["static"] = 143;
literals["full"] = 119;
literals["parameter-problem"] = 85;
literals["port-object"] = 53;
literals["notifications"] = 105;
literals["duplex"] = 125;
literals["no"] = 55;
literals["static"] = 147;
literals["esp"] = 16;
literals["time-range"] = 110;
literals["time-range"] = 111;
literals["gre"] = 17;
literals["timestamp-request"] = 91;
literals["echo"] = 71;
literals["speed"] = 122;
literals["warnings"] = 105;
literals["timestamp-request"] = 92;
literals["echo"] = 72;
literals["speed"] = 124;
literals["warnings"] = 106;
literals["timeout"] = 8;
literals["eigrp"] = 15;
literals["icmp-type"] = 49;
literals["permit"] = 64;
literals["remark"] = 139;
literals["icmp-type"] = 50;
literals["permit"] = 65;
literals["remark"] = 141;
literals["network"] = 29;
literals["igmp"] = 18;
literals["range"] = 33;
literals["destination"] = 42;
literals["setroute"] = 145;
literals["vlan"] = 121;
literals["debugging"] = 100;
literals["controller"] = 111;
literals["interface"] = 94;
literals["dhcp"] = 135;
literals["aui"] = 114;
literals["Version"] = 58;
literals["auto"] = 115;
literals["subnet"] = 34;
literals["time-exceeded"] = 89;
literals["shutdown"] = 133;
literals["group-object"] = 44;
literals["eq"] = 67;
literals["fragments"] = 109;
literals["unreachable"] = 93;
literals["delay"] = 126;
literals["range"] = 34;
literals["destination"] = 43;
literals["setroute"] = 152;
literals["vlan"] = 123;
literals["debugging"] = 101;
literals["controller"] = 112;
literals["interface"] = 95;
literals["dhcp"] = 137;
literals["aui"] = 116;
literals["Version"] = 59;
literals["auto"] = 117;
literals["subnet"] = 35;
literals["time-exceeded"] = 90;
literals["outside"] = 113;
literals["shutdown"] = 135;
literals["group-object"] = 45;
literals["eq"] = 68;
literals["fragments"] = 110;
literals["unreachable"] = 94;
literals["delay"] = 128;
literals["ip"] = 6;
literals["security-level"] = 132;
literals["mobile-redirect"] = 83;
literals["security-level"] = 134;
literals["mobile-redirect"] = 84;
literals["ospf"] = 23;
literals["name"] = 10;
literals["errors"] = 102;
literals["mask-request"] = 82;
literals["PIX"] = 56;
literals["any"] = 95;
literals["ASA"] = 57;
literals["errors"] = 103;
literals["mask-request"] = 83;
literals["PIX"] = 57;
literals["any"] = 96;
literals["ASA"] = 58;
literals["pptp"] = 26;
literals["redirect"] = 85;
literals["forward"] = 125;
literals["description"] = 31;
literals["timestamp-reply"] = 90;
literals["alerts"] = 98;
literals["lt"] = 69;
literals["bnc"] = 116;
literals["global"] = 142;
literals["redirect"] = 86;
literals["forward"] = 127;
literals["description"] = 32;
literals["timestamp-reply"] = 91;
literals["alerts"] = 99;
literals["lt"] = 70;
literals["bnc"] = 118;
literals["global"] = 146;
literals["nos"] = 22;
literals["extended"] = 63;
literals["certificate"] = 55;
literals["service"] = 35;
literals["telnet"] = 74;
literals["udp"] = 40;
literals["hold-time"] = 127;
literals["baseT"] = 118;
literals["extended"] = 64;
literals["certificate"] = 56;
literals["service"] = 36;
literals["telnet"] = 75;
literals["udp"] = 41;
literals["hold-time"] = 129;
literals["baseT"] = 120;
literals["ipinip"] = 20;
literals["standby"] = 136;
literals["crypto"] = 53;
literals["standby"] = 138;
literals["crypto"] = 54;
literals["pim"] = 25;
literals["secondary"] = 144;
literals["emergencies"] = 101;
literals["disable"] = 106;
literals["mask-reply"] = 81;
literals["tcp"] = 39;
literals["tcp-udp"] = 50;
literals["source"] = 41;
literals["secondary"] = 151;
literals["emergencies"] = 102;
literals["disable"] = 107;
literals["mask-reply"] = 82;
literals["tcp"] = 40;
literals["tcp-udp"] = 51;
literals["source"] = 42;
literals["names"] = 9;
literals["icmp"] = 36;
literals["log"] = 96;
literals["icmp"] = 37;
literals["log"] = 97;
literals["snp"] = 27;
literals["mac-address"] = 129;
literals["established"] = 75;
literals["deny"] = 65;
literals["information-request"] = 80;
literals["ssh"] = 73;
literals["protocol-object"] = 47;
literals["gt"] = 68;
literals["mac-address"] = 131;
literals["established"] = 76;
literals["deny"] = 66;
literals["information-request"] = 81;
literals["ssh"] = 74;
literals["protocol-object"] = 48;
literals["gt"] = 69;
literals["ah"] = 14;
literals["interval"] = 108;
literals["ddns"] = 124;
literals["ipv6"] = 128;
literals["rip"] = 72;
literals["baseTX"] = 119;
literals["access-group"] = 140;
literals["critical"] = 99;
literals["standard"] = 66;
literals["interval"] = 109;
literals["ddns"] = 126;
literals["ipv6"] = 130;
literals["rip"] = 73;
literals["baseTX"] = 121;
literals["access-group"] = 142;
literals["critical"] = 100;
literals["standard"] = 67;
literals["quit"] = 5;
literals["community-list"] = 7;
literals["network-object"] = 45;
literals["hostname"] = 60;
literals["information-reply"] = 79;
literals["icmp6"] = 38;
literals["switchport"] = 137;
literals["network-object"] = 46;
literals["hostname"] = 61;
literals["information-reply"] = 80;
literals["icmp6"] = 39;
literals["switchport"] = 139;
literals["ipsec"] = 21;
literals["conversion-error"] = 77;
literals["host"] = 32;
literals["echo-reply"] = 78;
literals["nameif"] = 120;
literals["conversion-error"] = 78;
literals["host"] = 33;
literals["echo-reply"] = 79;
literals["nameif"] = 122;
literals["pcp"] = 24;
literals["service-object"] = 51;
literals["service-object"] = 52;
literals["nat"] = 30;
literals["access-list"] = 62;
literals["informational"] = 103;
literals["access-list"] = 63;
literals["informational"] = 104;
literals["igrp"] = 19;
literals["traceroute"] = 92;
literals["address"] = 134;
literals["log-input"] = 97;
literals["router-advertisement"] = 86;
literals["router-solicitation"] = 87;
literals["access"] = 138;
literals["icmp-object"] = 48;
literals["source-quench"] = 88;
literals["protocol"] = 46;
literals["inactive"] = 107;
literals["multicast"] = 130;
literals["exit"] = 113;
literals["neq"] = 70;
literals["alternate-address"] = 76;
literals["traceroute"] = 93;
literals["address"] = 136;
literals["log-input"] = 98;
literals["router-advertisement"] = 87;
literals["router-solicitation"] = 88;
literals["access"] = 140;
literals["icmp-object"] = 49;
literals["source-quench"] = 89;
literals["protocol"] = 47;
literals["inactive"] = 108;
literals["multicast"] = 132;
literals["exit"] = 115;
literals["neq"] = 71;
literals["alternate-address"] = 77;
}
ANTLR_USE_NAMESPACE(antlr)RefToken PIXCfgLexer::nextToken()
@ -487,11 +488,11 @@ void PIXCfgLexer::mLINE_COMMENT(bool _createToken) {
}
}
else {
goto _loop248;
goto _loop263;
}
}
_loop248:;
_loop263:;
} // ( ... )*
mNEWLINE(false);
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -523,9 +524,9 @@ void PIXCfgLexer::mNEWLINE(bool _createToken) {
}
if ( inputState->guessing==0 ) {
#line 2024 "pix.g"
#line 2228 "pix.g"
newline();
#line 529 "PIXCfgLexer.cpp"
#line 530 "PIXCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -549,11 +550,11 @@ void PIXCfgLexer::mCOLON_COMMENT(bool _createToken) {
}
}
else {
goto _loop252;
goto _loop267;
}
}
_loop252:;
_loop267:;
} // ( ... )*
mNEWLINE(false);
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -647,9 +648,9 @@ void PIXCfgLexer::mWhitespace(bool _createToken) {
}
}
if ( inputState->guessing==0 ) {
#line 2019 "pix.g"
#line 2223 "pix.g"
_ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP;
#line 653 "PIXCfgLexer.cpp"
#line 654 "PIXCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -771,10 +772,10 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex;
{
bool synPredMatched313 = false;
bool synPredMatched328 = false;
if (((LA(1) == 0x6f /* 'o' */ ) && (LA(2) == 0x62 /* 'b' */ ) && (LA(3) == 0x6a /* 'j' */ ))) {
int _m313 = mark();
synPredMatched313 = true;
int _m328 = mark();
synPredMatched328 = true;
inputState->guessing++;
try {
{
@ -783,12 +784,12 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched313 = false;
synPredMatched328 = false;
}
rewind(_m313);
rewind(_m328);
inputState->guessing--;
}
if ( synPredMatched313 ) {
if ( synPredMatched328 ) {
{
match("object");
{
@ -798,17 +799,17 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
match("oup");
}
if ( inputState->guessing==0 ) {
#line 2076 "pix.g"
#line 2280 "pix.g"
_ttype = OBJECT_GROUP;
#line 804 "PIXCfgLexer.cpp"
#line 805 "PIXCfgLexer.cpp"
}
}
else {
match("");
if ( inputState->guessing==0 ) {
#line 2078 "pix.g"
#line 2282 "pix.g"
_ttype = OBJECT;
#line 812 "PIXCfgLexer.cpp"
#line 813 "PIXCfgLexer.cpp"
}
}
@ -816,15 +817,15 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
else {
bool synPredMatched303 = false;
bool synPredMatched318 = false;
if (((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (true))) {
int _m303 = mark();
synPredMatched303 = true;
int _m318 = mark();
synPredMatched318 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt302=0;
int _cnt317=0;
for (;;) {
switch ( LA(1)) {
case 0x61 /* 'a' */ :
@ -853,27 +854,27 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
if ( _cnt302>=1 ) { goto _loop302; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt317>=1 ) { goto _loop317; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
}
_cnt302++;
_cnt317++;
}
_loop302:;
_loop317:;
} // ( ... )+
mCOLON(false);
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched303 = false;
synPredMatched318 = false;
}
rewind(_m303);
rewind(_m318);
inputState->guessing--;
}
if ( synPredMatched303 ) {
if ( synPredMatched318 ) {
{
{
{ // ( ... )+
int _cnt307=0;
int _cnt322=0;
for (;;) {
switch ( LA(1)) {
case 0x61 /* 'a' */ :
@ -902,15 +903,15 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
if ( _cnt307>=1 ) { goto _loop307; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt322>=1 ) { goto _loop322; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
}
_cnt307++;
_cnt322++;
}
_loop307:;
_loop322:;
} // ( ... )+
{ // ( ... )+
int _cnt311=0;
int _cnt326=0;
for (;;) {
if ((LA(1) == 0x3a /* ':' */ )) {
mCOLON(false);
@ -943,34 +944,34 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
goto _loop310;
goto _loop325;
}
}
}
_loop310:;
_loop325:;
} // ( ... )*
}
else {
if ( _cnt311>=1 ) { goto _loop311; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt326>=1 ) { goto _loop326; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt311++;
_cnt326++;
}
_loop311:;
_loop326:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2069 "pix.g"
#line 2273 "pix.g"
_ttype = IPV6;
#line 966 "PIXCfgLexer.cpp"
#line 967 "PIXCfgLexer.cpp"
}
}
}
else {
bool synPredMatched268 = false;
bool synPredMatched283 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true))) {
int _m268 = mark();
synPredMatched268 = true;
int _m283 = mark();
synPredMatched283 = true;
inputState->guessing++;
try {
{
@ -978,242 +979,242 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched268 = false;
synPredMatched283 = false;
}
rewind(_m268);
rewind(_m283);
inputState->guessing--;
}
if ( synPredMatched268 ) {
if ( synPredMatched283 ) {
{
bool synPredMatched277 = false;
bool synPredMatched292 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
int _m277 = mark();
synPredMatched277 = true;
int _m292 = mark();
synPredMatched292 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt272=0;
int _cnt287=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt272>=1 ) { goto _loop272; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt287>=1 ) { goto _loop287; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt272++;
_cnt287++;
}
_loop272:;
_loop287:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt274=0;
int _cnt289=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt274>=1 ) { goto _loop274; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt289>=1 ) { goto _loop289; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt274++;
_cnt289++;
}
_loop274:;
_loop289:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt276=0;
int _cnt291=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt276>=1 ) { goto _loop276; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt291>=1 ) { goto _loop291; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt276++;
_cnt291++;
}
_loop276:;
_loop291:;
} // ( ... )+
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched277 = false;
synPredMatched292 = false;
}
rewind(_m277);
rewind(_m292);
inputState->guessing--;
}
if ( synPredMatched277 ) {
if ( synPredMatched292 ) {
{
{ // ( ... )+
int _cnt280=0;
int _cnt295=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt280>=1 ) { goto _loop280; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt295>=1 ) { goto _loop295; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt280++;
_cnt295++;
}
_loop280:;
_loop295:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt282=0;
int _cnt297=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt282>=1 ) { goto _loop282; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt297>=1 ) { goto _loop297; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt282++;
_cnt297++;
}
_loop282:;
_loop297:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt284=0;
int _cnt299=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt284>=1 ) { goto _loop284; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt299>=1 ) { goto _loop299; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt284++;
_cnt299++;
}
_loop284:;
_loop299:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt286=0;
int _cnt301=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt286>=1 ) { goto _loop286; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt301>=1 ) { goto _loop301; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt286++;
_cnt301++;
}
_loop286:;
_loop301:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2057 "pix.g"
#line 2261 "pix.g"
_ttype = IPV4;
#line 1113 "PIXCfgLexer.cpp"
#line 1114 "PIXCfgLexer.cpp"
}
}
else {
bool synPredMatched292 = false;
bool synPredMatched307 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
int _m292 = mark();
synPredMatched292 = true;
int _m307 = mark();
synPredMatched307 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt289=0;
int _cnt304=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt289>=1 ) { goto _loop289; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt304>=1 ) { goto _loop304; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt289++;
_cnt304++;
}
_loop289:;
_loop304:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt291=0;
int _cnt306=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt291>=1 ) { goto _loop291; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt306>=1 ) { goto _loop306; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt291++;
_cnt306++;
}
_loop291:;
_loop306:;
} // ( ... )+
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched292 = false;
synPredMatched307 = false;
}
rewind(_m292);
rewind(_m307);
inputState->guessing--;
}
if ( synPredMatched292 ) {
if ( synPredMatched307 ) {
{
{ // ( ... )+
int _cnt295=0;
int _cnt310=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt295>=1 ) { goto _loop295; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt310>=1 ) { goto _loop310; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt295++;
_cnt310++;
}
_loop295:;
_loop310:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt297=0;
int _cnt312=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt297>=1 ) { goto _loop297; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt312>=1 ) { goto _loop312; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt297++;
_cnt312++;
}
_loop297:;
_loop312:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2060 "pix.g"
#line 2264 "pix.g"
_ttype = NUMBER;
#line 1196 "PIXCfgLexer.cpp"
#line 1197 "PIXCfgLexer.cpp"
}
}
else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) {
{ // ( ... )+
int _cnt299=0;
int _cnt314=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt299>=1 ) { goto _loop299; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt314>=1 ) { goto _loop314; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt299++;
_cnt314++;
}
_loop299:;
_loop314:;
} // ( ... )+
if ( inputState->guessing==0 ) {
#line 2062 "pix.g"
#line 2266 "pix.g"
_ttype = INT_CONST;
#line 1217 "PIXCfgLexer.cpp"
#line 1218 "PIXCfgLexer.cpp"
}
}
else {
@ -1306,8 +1307,10 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
case 0x25 /* '%' */ :
case 0x26 /* '&' */ :
case 0x27 /* '\'' */ :
case 0x28 /* '(' */ :
case 0x29 /* ')' */ :
{
matchRange('!','\'');
break;
}
case 0x2a /* '*' */ :
case 0x2b /* '+' */ :
case 0x2c /* ',' */ :
@ -1315,7 +1318,7 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
case 0x2e /* '.' */ :
case 0x2f /* '/' */ :
{
matchRange('!','/');
matchRange('*','/');
break;
}
case 0x30 /* '0' */ :
@ -1449,16 +1452,16 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
goto _loop319;
goto _loop334;
}
}
}
_loop319:;
_loop334:;
} // ( ... )*
if ( inputState->guessing==0 ) {
#line 2085 "pix.g"
#line 2289 "pix.g"
_ttype = WORD;
#line 1462 "PIXCfgLexer.cpp"
#line 1465 "PIXCfgLexer.cpp"
}
}
else {
@ -1500,11 +1503,11 @@ void PIXCfgLexer::mSTRING(bool _createToken) {
matchNot('\"' /* charlit */ );
}
else {
goto _loop322;
goto _loop337;
}
}
_loop322:;
_loop337:;
} // ( ... )*
match('\"' /* charlit */ );
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -1886,7 +1889,7 @@ const unsigned long PIXCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL,
// 0x82 0x83 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f
// 0x90 0x91 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d
// 0x9e 0x9f 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab
// 0xac 0xad 0xae 0xaf 0xb0 0xb1 0xb2 0xb3
// 0xac 0xad 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_0(_tokenSet_0_data_,16);
const unsigned long PIXCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14
@ -1897,7 +1900,7 @@ const unsigned long PIXCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 429496729
// 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91
// 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f
// 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad
// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3
// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_1(_tokenSet_1_data_,16);
const unsigned long PIXCfgLexer::_tokenSet_2_data_[] = { 0UL, 67043328UL, 0UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
@ -1921,6 +1924,6 @@ const unsigned long PIXCfgLexer::_tokenSet_6_data_[] = { 4294967288UL, 429496729
// 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91
// 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f
// 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad
// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3
// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_6(_tokenSet_6_data_,16);

1991
src/parsers/PIXCfgParser.cpp
View File

File diff suppressed because it is too large Load Diff

32
src/parsers/PIXCfgParser.hpp
View File

@ -101,6 +101,9 @@ public:
public: void ssh_command();
public: void telnet_command();
public: void icmp_top_level_command();
public: void nat_old_top_level_command();
public: void global_top_level_command();
public: void static_top_level_command();
public: void access_group();
public: void exit();
public: void certificate();
@ -119,12 +122,13 @@ public:
public: void timeout_command();
public: void unknown_command();
public: void ip_protocol_names();
public: void named_object_network_parameters();
public: void named_object_nat();
public: void named_object_description();
public: void named_object_network_parameters();
public: void host_addr();
public: void range_addr();
public: void subnet_addr();
public: void named_object_description();
public: void interface_label();
public: void named_object_service_parameters();
public: void service_icmp();
public: void service_icmp6();
@ -192,10 +196,14 @@ public:
public: void v7_dhcp_address();
public: void v7_static_address();
public: void icmp_types_for_icmp_command();
public: void nat_old_top_level_command();
public: void nat_addr_match();
public: void nat_command_last_parameters();
public: void nat_new_top_level_command();
public: void global_top_level_command();
public: void static_top_level_command();
public: void static_starts_with_hostaddr();
public: void static_starts_with_tcp_udp();
public: void static_mapped_addr_match();
public: void static_real_addr_match();
public: void static_command_common_last_parameters();
public:
ANTLR_USE_NAMESPACE(antlr)RefAST getAST()
{
@ -207,10 +215,10 @@ protected:
private:
static const char* tokenNames[];
#ifndef NO_STATIC_CONSTS
static const int NUM_TOKENS = 180;
static const int NUM_TOKENS = 184;
#else
enum {
NUM_TOKENS = 180
NUM_TOKENS = 184
};
#endif
@ -282,6 +290,16 @@ private:
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_32;
static const unsigned long _tokenSet_33_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_33;
static const unsigned long _tokenSet_34_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_34;
static const unsigned long _tokenSet_35_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_35;
static const unsigned long _tokenSet_36_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_36;
static const unsigned long _tokenSet_37_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_37;
static const unsigned long _tokenSet_38_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_38;
};
#endif /*INC_PIXCfgParser_hpp_*/

302
src/parsers/PIXCfgParserTokenTypes.hpp
View File

@ -39,155 +39,159 @@ struct CUSTOM_API PIXCfgParserTokenTypes {
OBJECT = 28,
NETWORK = 29,
NAT = 30,
DESCRIPTION = 31,
HOST = 32,
RANGE = 33,
SUBNET = 34,
SERVICE = 35,
ICMP = 36,
INT_CONST = 37,
ICMP6 = 38,
TCP = 39,
UDP = 40,
SOURCE = 41,
DESTINATION = 42,
OBJECT_GROUP = 43,
GROUP_OBJECT = 44,
NETWORK_OBJECT = 45,
PROTOCOL = 46,
PROTOCOL_OBJECT = 47,
ICMP_OBJECT = 48,
ICMP_TYPE = 49,
TCP_UDP = 50,
SERVICE_OBJECT = 51,
PORT_OBJECT = 52,
CRYPTO = 53,
NO = 54,
CERTIFICATE = 55,
PIX_WORD = 56,
ASA_WORD = 57,
VERSION_WORD = 58,
NUMBER = 59,
HOSTNAME = 60,
STRING = 61,
ACCESS_LIST = 62,
EXTENDED = 63,
PERMIT = 64,
DENY = 65,
STANDARD = 66,
P_EQ = 67,
P_GT = 68,
P_LT = 69,
P_NEQ = 70,
ECHO = 71,
RIP = 72,
SSH = 73,
TELNET = 74,
ESTABLISHED = 75,
ALTERNATE_ADDRESS = 76,
CONVERSION_ERROR = 77,
ECHO_REPLY = 78,
INFORMATION_REPLY = 79,
INFORMATION_REQUEST = 80,
MASK_REPLY = 81,
MASK_REQUEST = 82,
MOBILE_REDIRECT = 83,
PARAMETER_PROBLEM = 84,
REDIRECT = 85,
ROUTER_ADVERTISEMENT = 86,
ROUTER_SOLICITATION = 87,
SOURCE_QUENCH = 88,
TIME_EXCEEDED = 89,
TIMESTAMP_REPLY = 90,
TIMESTAMP_REQUEST = 91,
TRACEROUTE = 92,
UNREACHABLE = 93,
INTRFACE = 94,
ANY = 95,
LOG = 96,
LOG_INPUT = 97,
LOG_LEVEL_ALERTS = 98,
LOG_LEVEL_CRITICAL = 99,
LOG_LEVEL_DEBUGGING = 100,
LOG_LEVEL_EMERGENCIES = 101,
LOG_LEVEL_ERRORS = 102,
LOG_LEVEL_INFORMATIONAL = 103,
LOG_LEVEL_NOTIFICATIONS = 104,
LOG_LEVEL_WARNINGS = 105,
LOG_LEVEL_DISABLE = 106,
LOG_LEVEL_INACTIVE = 107,
INTERVAL = 108,
FRAGMENTS = 109,
TIME_RANGE = 110,
CONTROLLER = 111,
LINE_COMMENT = 112,
EXIT = 113,
AUI = 114,
AUTO = 115,
BNC = 116,
FULL = 117,
BASET = 118,
BASETX = 119,
NAMEIF = 120,
VLAN = 121,
SPEED = 122,
DUPLEX = 123,
DDNS = 124,
FORWARD = 125,
DELAY = 126,
HOLD_TIME = 127,
IPV6_C = 128,
MAC_ADDRESS = 129,
MULTICAST = 130,
PPPOE = 131,
SEC_LEVEL = 132,
SHUTDOWN = 133,
ADDRESS = 134,
DHCP = 135,
STANDBY = 136,
SWITCHPORT = 137,
ACCESS = 138,
REMARK = 139,
ACCESS_GROUP = 140,
COLON_COMMENT = 141,
GLOBAL = 142,
STATIC = 143,
SECONDARY = 144,
SETROUTE = 145,
Whitespace = 146,
HEX_CONST = 147,
NEG_INT_CONST = 148,
DIGIT = 149,
HEXDIGIT = 150,
NUMBER_ADDRESS_OR_WORD = 151,
PIPE_CHAR = 152,
NUMBER_SIGN = 153,
PERCENT = 154,
AMPERSAND = 155,
APOSTROPHE = 156,
OPENING_PAREN = 157,
CLOSING_PAREN = 158,
STAR = 159,
PLUS = 160,
COMMA = 161,
MINUS = 162,
DOT = 163,
SLASH = 164,
COLON = 165,
SEMICOLON = 166,
LESS_THAN = 167,
EQUALS = 168,
GREATER_THAN = 169,
QUESTION = 170,
COMMERCIAL_AT = 171,
OPENING_SQUARE = 172,
CLOSING_SQUARE = 173,
CARET = 174,
UNDERLINE = 175,
OPENING_BRACE = 176,
CLOSING_BRACE = 177,
TILDE = 178,
EXLAMATION = 179,
OPENING_PAREN = 31,
DESCRIPTION = 32,
HOST = 33,
RANGE = 34,
SUBNET = 35,
SERVICE = 36,
ICMP = 37,
INT_CONST = 38,
ICMP6 = 39,
TCP = 40,
UDP = 41,
SOURCE = 42,
DESTINATION = 43,
OBJECT_GROUP = 44,
GROUP_OBJECT = 45,
NETWORK_OBJECT = 46,
PROTOCOL = 47,
PROTOCOL_OBJECT = 48,
ICMP_OBJECT = 49,
ICMP_TYPE = 50,
TCP_UDP = 51,
SERVICE_OBJECT = 52,
PORT_OBJECT = 53,
CRYPTO = 54,
NO = 55,
CERTIFICATE = 56,
PIX_WORD = 57,
ASA_WORD = 58,
VERSION_WORD = 59,
NUMBER = 60,
HOSTNAME = 61,
STRING = 62,
ACCESS_LIST = 63,
EXTENDED = 64,
PERMIT = 65,
DENY = 66,
STANDARD = 67,
P_EQ = 68,
P_GT = 69,
P_LT = 70,
P_NEQ = 71,
ECHO = 72,
RIP = 73,
SSH = 74,
TELNET = 75,
ESTABLISHED = 76,
ALTERNATE_ADDRESS = 77,
CONVERSION_ERROR = 78,
ECHO_REPLY = 79,
INFORMATION_REPLY = 80,
INFORMATION_REQUEST = 81,
MASK_REPLY = 82,
MASK_REQUEST = 83,
MOBILE_REDIRECT = 84,
PARAMETER_PROBLEM = 85,
REDIRECT = 86,
ROUTER_ADVERTISEMENT = 87,
ROUTER_SOLICITATION = 88,
SOURCE_QUENCH = 89,
TIME_EXCEEDED = 90,
TIMESTAMP_REPLY = 91,
TIMESTAMP_REQUEST = 92,
TRACEROUTE = 93,
UNREACHABLE = 94,
INTRFACE = 95,
ANY = 96,
LOG = 97,
LOG_INPUT = 98,
LOG_LEVEL_ALERTS = 99,
LOG_LEVEL_CRITICAL = 100,
LOG_LEVEL_DEBUGGING = 101,
LOG_LEVEL_EMERGENCIES = 102,
LOG_LEVEL_ERRORS = 103,
LOG_LEVEL_INFORMATIONAL = 104,
LOG_LEVEL_NOTIFICATIONS = 105,
LOG_LEVEL_WARNINGS = 106,
LOG_LEVEL_DISABLE = 107,
LOG_LEVEL_INACTIVE = 108,
INTERVAL = 109,
FRAGMENTS = 110,
TIME_RANGE = 111,
CONTROLLER = 112,
OUTSIDE = 113,
LINE_COMMENT = 114,
EXIT = 115,
AUI = 116,
AUTO = 117,
BNC = 118,
FULL = 119,
BASET = 120,
BASETX = 121,
NAMEIF = 122,
VLAN = 123,
SPEED = 124,
DUPLEX = 125,
DDNS = 126,
FORWARD = 127,
DELAY = 128,
HOLD_TIME = 129,
IPV6_C = 130,
MAC_ADDRESS = 131,
MULTICAST = 132,
PPPOE = 133,
SEC_LEVEL = 134,
SHUTDOWN = 135,
ADDRESS = 136,
DHCP = 137,
STANDBY = 138,
SWITCHPORT = 139,
ACCESS = 140,
REMARK = 141,
ACCESS_GROUP = 142,
COLON_COMMENT = 143,
CLOSING_PAREN = 144,
DNS = 145,
GLOBAL = 146,
STATIC = 147,
COMMA = 148,
NETMASK = 149,
IPv4 = 150,
SECONDARY = 151,
SETROUTE = 152,
Whitespace = 153,
HEX_CONST = 154,
NEG_INT_CONST = 155,
DIGIT = 156,
HEXDIGIT = 157,
NUMBER_ADDRESS_OR_WORD = 158,
PIPE_CHAR = 159,
NUMBER_SIGN = 160,
PERCENT = 161,
AMPERSAND = 162,
APOSTROPHE = 163,
STAR = 164,
PLUS = 165,
MINUS = 166,
DOT = 167,
SLASH = 168,
COLON = 169,
SEMICOLON = 170,
LESS_THAN = 171,
EQUALS = 172,
GREATER_THAN = 173,
QUESTION = 174,
COMMERCIAL_AT = 175,
OPENING_SQUARE = 176,
CLOSING_SQUARE = 177,
CARET = 178,
UNDERLINE = 179,
OPENING_BRACE = 180,
CLOSING_BRACE = 181,
TILDE = 182,
EXLAMATION = 183,
NULL_TREE_LOOKAHEAD = 3
};
#ifdef __cplusplus

302
src/parsers/PIXCfgParserTokenTypes.txt
View File

@ -27,152 +27,156 @@ SNP="snp"=27
OBJECT=28
NETWORK="network"=29
NAT="nat"=30
DESCRIPTION="description"=31
HOST="host"=32
RANGE="range"=33
SUBNET="subnet"=34
SERVICE="service"=35
ICMP="icmp"=36
INT_CONST=37
ICMP6="icmp6"=38
TCP="tcp"=39
UDP="udp"=40
SOURCE="source"=41
DESTINATION="destination"=42
OBJECT_GROUP=43
GROUP_OBJECT="group-object"=44
NETWORK_OBJECT="network-object"=45
PROTOCOL="protocol"=46
PROTOCOL_OBJECT="protocol-object"=47
ICMP_OBJECT="icmp-object"=48
ICMP_TYPE="icmp-type"=49
TCP_UDP="tcp-udp"=50
SERVICE_OBJECT="service-object"=51
PORT_OBJECT="port-object"=52
CRYPTO="crypto"=53
NO="no"=54
CERTIFICATE="certificate"=55
PIX_WORD="PIX"=56
ASA_WORD="ASA"=57
VERSION_WORD="Version"=58
NUMBER=59
HOSTNAME="hostname"=60
STRING=61
ACCESS_LIST="access-list"=62
EXTENDED="extended"=63
PERMIT="permit"=64
DENY="deny"=65
STANDARD="standard"=66
P_EQ="eq"=67
P_GT="gt"=68
P_LT="lt"=69
P_NEQ="neq"=70
ECHO="echo"=71
RIP="rip"=72
SSH="ssh"=73
TELNET="telnet"=74
ESTABLISHED="established"=75
ALTERNATE_ADDRESS="alternate-address"=76
CONVERSION_ERROR="conversion-error"=77
ECHO_REPLY="echo-reply"=78
INFORMATION_REPLY="information-reply"=79
INFORMATION_REQUEST="information-request"=80
MASK_REPLY="mask-reply"=81
MASK_REQUEST="mask-request"=82
MOBILE_REDIRECT="mobile-redirect"=83
PARAMETER_PROBLEM="parameter-problem"=84
REDIRECT="redirect"=85
ROUTER_ADVERTISEMENT="router-advertisement"=86
ROUTER_SOLICITATION="router-solicitation"=87
SOURCE_QUENCH="source-quench"=88
TIME_EXCEEDED="time-exceeded"=89
TIMESTAMP_REPLY="timestamp-reply"=90
TIMESTAMP_REQUEST="timestamp-request"=91
TRACEROUTE="traceroute"=92
UNREACHABLE="unreachable"=93
INTRFACE="interface"=94
ANY="any"=95
LOG="log"=96
LOG_INPUT="log-input"=97
LOG_LEVEL_ALERTS="alerts"=98
LOG_LEVEL_CRITICAL="critical"=99
LOG_LEVEL_DEBUGGING="debugging"=100
LOG_LEVEL_EMERGENCIES="emergencies"=101
LOG_LEVEL_ERRORS="errors"=102
LOG_LEVEL_INFORMATIONAL="informational"=103
LOG_LEVEL_NOTIFICATIONS="notifications"=104
LOG_LEVEL_WARNINGS="warnings"=105
LOG_LEVEL_DISABLE="disable"=106
LOG_LEVEL_INACTIVE="inactive"=107
INTERVAL="interval"=108
FRAGMENTS="fragments"=109
TIME_RANGE="time-range"=110
CONTROLLER="controller"=111
LINE_COMMENT=112
EXIT="exit"=113
AUI="aui"=114
AUTO="auto"=115
BNC="bnc"=116
FULL="full"=117
BASET="baseT"=118
BASETX="baseTX"=119
NAMEIF="nameif"=120
VLAN="vlan"=121
SPEED="speed"=122
DUPLEX="duplex"=123
DDNS="ddns"=124
FORWARD="forward"=125
DELAY="delay"=126
HOLD_TIME="hold-time"=127
IPV6_C="ipv6"=128
MAC_ADDRESS="mac-address"=129
MULTICAST="multicast"=130
PPPOE=131
SEC_LEVEL="security-level"=132
SHUTDOWN="shutdown"=133
ADDRESS="address"=134
DHCP="dhcp"=135
STANDBY="standby"=136
SWITCHPORT="switchport"=137
ACCESS="access"=138
REMARK="remark"=139
ACCESS_GROUP="access-group"=140
COLON_COMMENT=141
GLOBAL="global"=142
STATIC="static"=143
SECONDARY="secondary"=144
SETROUTE="setroute"=145
Whitespace=146
HEX_CONST=147
NEG_INT_CONST=148
DIGIT=149
HEXDIGIT=150
NUMBER_ADDRESS_OR_WORD=151
PIPE_CHAR=152
NUMBER_SIGN=153
PERCENT=154
AMPERSAND=155
APOSTROPHE=156
OPENING_PAREN=157
CLOSING_PAREN=158
STAR=159
PLUS=160
COMMA=161
MINUS=162
DOT=163
SLASH=164
COLON=165
SEMICOLON=166
LESS_THAN=167
EQUALS=168
GREATER_THAN=169
QUESTION=170
COMMERCIAL_AT=171
OPENING_SQUARE=172
CLOSING_SQUARE=173
CARET=174
UNDERLINE=175
OPENING_BRACE=176
CLOSING_BRACE=177
TILDE=178
EXLAMATION=179
OPENING_PAREN=31
DESCRIPTION="description"=32
HOST="host"=33
RANGE="range"=34
SUBNET="subnet"=35
SERVICE="service"=36
ICMP="icmp"=37
INT_CONST=38
ICMP6="icmp6"=39
TCP="tcp"=40
UDP="udp"=41
SOURCE="source"=42
DESTINATION="destination"=43
OBJECT_GROUP=44
GROUP_OBJECT="group-object"=45
NETWORK_OBJECT="network-object"=46
PROTOCOL="protocol"=47
PROTOCOL_OBJECT="protocol-object"=48
ICMP_OBJECT="icmp-object"=49
ICMP_TYPE="icmp-type"=50
TCP_UDP="tcp-udp"=51
SERVICE_OBJECT="service-object"=52
PORT_OBJECT="port-object"=53
CRYPTO="crypto"=54
NO="no"=55
CERTIFICATE="certificate"=56
PIX_WORD="PIX"=57
ASA_WORD="ASA"=58
VERSION_WORD="Version"=59
NUMBER=60
HOSTNAME="hostname"=61
STRING=62
ACCESS_LIST="access-list"=63
EXTENDED="extended"=64
PERMIT="permit"=65
DENY="deny"=66
STANDARD="standard"=67
P_EQ="eq"=68
P_GT="gt"=69
P_LT="lt"=70
P_NEQ="neq"=71
ECHO="echo"=72
RIP="rip"=73
SSH="ssh"=74
TELNET="telnet"=75
ESTABLISHED="established"=76
ALTERNATE_ADDRESS="alternate-address"=77
CONVERSION_ERROR="conversion-error"=78
ECHO_REPLY="echo-reply"=79
INFORMATION_REPLY="information-reply"=80
INFORMATION_REQUEST="information-request"=81
MASK_REPLY="mask-reply"=82
MASK_REQUEST="mask-request"=83
MOBILE_REDIRECT="mobile-redirect"=84
PARAMETER_PROBLEM="parameter-problem"=85
REDIRECT="redirect"=86
ROUTER_ADVERTISEMENT="router-advertisement"=87
ROUTER_SOLICITATION="router-solicitation"=88
SOURCE_QUENCH="source-quench"=89
TIME_EXCEEDED="time-exceeded"=90
TIMESTAMP_REPLY="timestamp-reply"=91
TIMESTAMP_REQUEST="timestamp-request"=92
TRACEROUTE="traceroute"=93
UNREACHABLE="unreachable"=94
INTRFACE="interface"=95
ANY="any"=96
LOG="log"=97
LOG_INPUT="log-input"=98
LOG_LEVEL_ALERTS="alerts"=99
LOG_LEVEL_CRITICAL="critical"=100
LOG_LEVEL_DEBUGGING="debugging"=101
LOG_LEVEL_EMERGENCIES="emergencies"=102
LOG_LEVEL_ERRORS="errors"=103
LOG_LEVEL_INFORMATIONAL="informational"=104
LOG_LEVEL_NOTIFICATIONS="notifications"=105
LOG_LEVEL_WARNINGS="warnings"=106
LOG_LEVEL_DISABLE="disable"=107
LOG_LEVEL_INACTIVE="inactive"=108
INTERVAL="interval"=109
FRAGMENTS="fragments"=110
TIME_RANGE="time-range"=111
CONTROLLER="controller"=112
OUTSIDE="outside"=113
LINE_COMMENT=114
EXIT="exit"=115
AUI="aui"=116
AUTO="auto"=117
BNC="bnc"=118
FULL="full"=119
BASET="baseT"=120
BASETX="baseTX"=121
NAMEIF="nameif"=122
VLAN="vlan"=123
SPEED="speed"=124
DUPLEX="duplex"=125
DDNS="ddns"=126
FORWARD="forward"=127
DELAY="delay"=128
HOLD_TIME="hold-time"=129
IPV6_C="ipv6"=130
MAC_ADDRESS="mac-address"=131
MULTICAST="multicast"=132
PPPOE=133
SEC_LEVEL="security-level"=134
SHUTDOWN="shutdown"=135
ADDRESS="address"=136
DHCP="dhcp"=137
STANDBY="standby"=138
SWITCHPORT="switchport"=139
ACCESS="access"=140
REMARK="remark"=141
ACCESS_GROUP="access-group"=142
COLON_COMMENT=143
CLOSING_PAREN=144
DNS=145
GLOBAL="global"=146
STATIC="static"=147
COMMA=148
NETMASK=149
IPv4=150
SECONDARY="secondary"=151
SETROUTE="setroute"=152
Whitespace=153
HEX_CONST=154
NEG_INT_CONST=155
DIGIT=156
HEXDIGIT=157
NUMBER_ADDRESS_OR_WORD=158
PIPE_CHAR=159
NUMBER_SIGN=160
PERCENT=161
AMPERSAND=162
APOSTROPHE=163
STAR=164
PLUS=165
MINUS=166
DOT=167
SLASH=168
COLON=169
SEMICOLON=170
LESS_THAN=171
EQUALS=172
GREATER_THAN=173
QUESTION=174
COMMERCIAL_AT=175
OPENING_SQUARE=176
CLOSING_SQUARE=177
CARET=178
UNDERLINE=179
OPENING_BRACE=180
CLOSING_BRACE=181
TILDE=182
EXLAMATION=183

322
src/parsers/pix.g
View File

@ -135,14 +135,14 @@ cfgfile :
|
icmp_top_level_command
|
// nat_old_top_level_command
// |
nat_old_top_level_command
|
// nat_new_top_level_command
// |
// global_top_level_command
// |
// static_top_level_command
// |
global_top_level_command
|
static_top_level_command
|
access_group
|
exit
@ -255,26 +255,26 @@ named_object_network : OBJECT NETWORK name:WORD NEWLINE
<< " Named Object " << name->getText() << std::endl;
}
(
named_object_nat
|
named_object_description
|
named_object_network_parameters
)*
;
named_object_network_parameters :
(
named_object_nat
|
host_addr
|
range_addr
|
subnet_addr
|
named_object_description
)
NEWLINE
;
named_object_nat : NAT
named_object_nat : NAT OPENING_PAREN interface_label
{
importer->addMessageToLog(
"Parser warning: "
@ -284,7 +284,7 @@ named_object_nat : NAT
}
;
named_object_description : DESCRIPTION
named_object_description : DESCRIPTION
{
importer->setCurrentLineNumber(LT(0)->getLine());
*dbg << LT(1)->getLine() << ":";
@ -299,12 +299,6 @@ named_object_description : DESCRIPTION
}
;
// construct such as "host 2001:0db8:85a3:0000:0000:8a2e:0370:7334" does not
// parse but the parser should not fail catastrophically and should continue
// working with input stream. This grammar splits words on ":" boundary and
// so the ipv6 address appears as token INT_CONST (2001), then a word that
// starts with ':'.
//
host_addr : (HOST (h:IPV4 | v6:IPV6))
{
importer->setCurrentLineNumber(LT(0)->getLine());
@ -1211,11 +1205,11 @@ hostaddr_expr_2 : hostaddr_expr ;
hostaddr_expr_3 : hostaddr_expr ;
hostaddr_expr :
INTRFACE intf_name:WORD
INTRFACE interface_label
{
importer->tmp_a = intf_name->getText();
importer->tmp_a = LT(0)->getText();
importer->tmp_nm = "interface";
*dbg << "object " << intf_name->getText() << " ";
*dbg << "object " << LT(0)->getText() << " ";
}
|
( ( OBJECT | OBJECT_GROUP ) name:WORD )
@ -1350,6 +1344,11 @@ controller : CONTROLLER
intrface : INTRFACE ( interface_command_6 | interface_command_7 )
;
// unfortunately word "outside" is used as a keyword in nat commands
// and is also common interface label
interface_label : WORD | OUTSIDE
;
interface_command_6 : in:WORD pix6_interface_hw_speed // pix 6
{
importer->setCurrentLineNumber(LT(0)->getLine());
@ -1383,15 +1382,22 @@ interface_command_7 {bool have_interface_parameters = false;} : in:WORD NEWLINE
pix6_interface_hw_speed : (
AUI | AUTO | BNC | ( INT_CONST ( FULL | BASET | BASETX | AUTO ) )
)
;
;
nameif_top_level : NAMEIF p_intf:WORD intf_label:WORD sec_level:WORD
nameif_top_level
{
std::string label = (intf_label) ? intf_label->getText() : "";
std::string seclevel = (sec_level) ? sec_level->getText() : "";
importer->setInterfaceParametes(p_intf->getText(), label, seclevel);
std::string intf_name, intf_label, sec_level;
} :
NAMEIF
WORD { intf_name = LT(0)->getText(); }
interface_label { intf_label = LT(0)->getText(); }
WORD { sec_level = LT(0)->getText(); }
{
importer->setInterfaceParametes(intf_name, intf_label, sec_level);
*dbg << " NAMEIF: "
<< p_intf->getText() << label << seclevel << std::endl;
<< intf_name << " "
<< intf_label << " "
<< sec_level << std::endl;
}
;
@ -1493,17 +1499,10 @@ sec_level : SEC_LEVEL sec_level:INT_CONST
// context in the grammar, function setInterfaceParametes() can locate
// right interface using its first parameter.
//
nameif : NAMEIF p_intf:WORD
(
( WORD ) => intf_label:WORD sec_level:WORD |
( )
)
nameif : NAMEIF interface_label
{
std::string label = (intf_label) ? intf_label->getText() : "";
std::string seclevel = (sec_level) ? sec_level->getText() : "";
importer->setInterfaceParametes(p_intf->getText(), label, seclevel);
*dbg << " NAMEIF: "
<< p_intf->getText() << label << seclevel << std::endl;
importer->setInterfaceParametes(LT(0)->getText(), "", "");
*dbg << " NAMEIF: " << LT(0)->getText() << std::endl;
}
;
@ -1642,10 +1641,11 @@ ssh_command : SSH
{
importer->SaveTmpAddrToSrc();
}
intf_label:WORD
interface_label
)
{
std::string acl_name = "ssh_commands_" + intf_label->getText();
std::string intf_label = LT(0)->getText();
std::string acl_name = "ssh_commands_" + intf_label;
importer->setCurrentLineNumber(LT(0)->getLine());
importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME );
importer->newPolicyRule();
@ -1655,7 +1655,7 @@ ssh_command : SSH
importer->dst_port_op = "eq";
importer->dst_port_spec = "ssh";
importer->setInterfaceAndDirectionForRuleSet(
acl_name, intf_label->getText(), "in" );
acl_name, intf_label, "in" );
importer->pushRule();
*dbg << std::endl;
}
@ -1673,10 +1673,11 @@ telnet_command : TELNET
{
importer->SaveTmpAddrToSrc();
}
intf_label:WORD
interface_label
)
{
std::string acl_name = "telnet_commands_" + intf_label->getText();
std::string intf_label = LT(0)->getText();
std::string acl_name = "telnet_commands_" + intf_label;
importer->setCurrentLineNumber(LT(0)->getLine());
importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME );
importer->newPolicyRule();
@ -1686,7 +1687,7 @@ telnet_command : TELNET
importer->dst_port_op = "eq";
importer->dst_port_spec = "telnet";
importer->setInterfaceAndDirectionForRuleSet(
acl_name, intf_label->getText(), "in" );
acl_name, intf_label, "in" );
importer->pushRule();
*dbg << std::endl;
}
@ -1718,9 +1719,10 @@ icmp_top_level_command : ICMP
importer->SaveTmpAddrToSrc();
}
( icmp_types_for_icmp_command )?
intf_label:WORD
interface_label
{
std::string acl_name = "icmp_commands_" + intf_label->getText();
std::string intf_label = LT(0)->getText();
std::string acl_name = "icmp_commands_" + intf_label;
importer->setCurrentLineNumber(LT(0)->getLine());
importer->newUnidirRuleSet(acl_name, libfwbuilder::Policy::TYPENAME );
importer->newPolicyRule();
@ -1729,7 +1731,7 @@ icmp_top_level_command : ICMP
importer->setDstSelf();
importer->protocol = "icmp";
importer->setInterfaceAndDirectionForRuleSet(
acl_name, intf_label->getText(), "in" );
acl_name, intf_label, "in" );
importer->pushRule();
}
)
@ -1776,16 +1778,17 @@ remark : REMARK
//****************************************************************
access_group : ACCESS_GROUP aclname:WORD dir:WORD INTRFACE intf_label:WORD
access_group : ACCESS_GROUP aclname:WORD dir:WORD INTRFACE interface_label
{
std::string intf_label = LT(0)->getText();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->setInterfaceAndDirectionForRuleSet(
aclname->getText(),
intf_label->getText(),
intf_label,
dir->getText() );
*dbg << LT(1)->getLine() << ":"
<< " INTRFACE: ACL '" << aclname->getText() << "'"
<< " " << intf_label->getText()
<< " " << intf_label
<< " " << dir->getText() << std::endl;
}
;
@ -1801,10 +1804,69 @@ comment : (LINE_COMMENT | COLON_COMMENT) ;
//****************************************************************
// NAT commands
nat_old_top_level_command : NAT
{
consumeUntil(NEWLINE);
}
nat_old_top_level_command :
NAT OPENING_PAREN
interface_label { importer->prenat_interface = LT(0)->getText(); }
CLOSING_PAREN
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->newUnidirRuleSet("nat", libfwbuilder::NAT::TYPENAME );
*dbg << " SNAT rule " << std::endl;
importer->rule_type = libfwbuilder::NATRule::SNAT;
}
// <0-2147483647> The <nat_id> of this group of hosts/networks.
INT_CONST
{
importer->nat_num = LT(0)->getText();
}
// Hostname or A.B.C.D The hosts/networks in this <nat_id> group
// access-list Specify access-list name after this keyword
nat_addr_match
nat_command_last_parameters
NEWLINE
{
importer->pushNATRule();
}
;
nat_addr_match :
(
host_addr // real
{
importer->nat_a = importer->tmp_a;
importer->nat_nm = importer->tmp_nm;
}
|
ACCESS_LIST acl_name:WORD
{
importer->nat_acl = acl_name->getText();
}
)
;
nat_command_last_parameters :
// <0-65535> The maximum number of simultaneous TCP connections
// dns Rewrite DNS address record
// norandomseq Disable TCP sequence number randomization
// outside Enable Outside NAT
// tcp Configure TCP specific parameters
// udp Configure UDP specific parameters
(DNS)?
(OUTSIDE)?
(TCP | UDP)?
max_conn:INT_CONST (max_emb_conn:INT_CONST)?
{
importer->static_max_conn = max_conn->getText();
if (max_emb_conn)
importer->static_max_emb_conn = max_emb_conn->getText();
}
;
nat_new_top_level_command : NAT
@ -1813,18 +1875,157 @@ nat_new_top_level_command : NAT
}
;
global_top_level_command : GLOBAL
global_top_level_command :
GLOBAL OPENING_PAREN
interface_label { importer->global_interface = LT(0)->getText(); }
CLOSING_PAREN num:INT_CONST
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->global_pool_num = num->getText();
*dbg << " global address pool "
<< importer->global_pool_num
<< " "
<< importer->global_interface
<< std::endl;
}
{
consumeUntil(NEWLINE);
}
;
static_top_level_command : STATIC
{
consumeUntil(NEWLINE);
}
static_top_level_command :
STATIC OPENING_PAREN prenat_intf:WORD
COMMA postnat_intf:WORD CLOSING_PAREN
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->newUnidirRuleSet("nat", libfwbuilder::NAT::TYPENAME );
*dbg << " DNAT rule " << std::endl;
importer->rule_type = libfwbuilder::NATRule::DNAT;
importer->prenat_interface = prenat_intf->getText();
importer->postnat_interface = postnat_intf->getText();
}
// Hostname or A.B.C.D Global or mapped address
// interface Global address overload from interface
// tcp TCP to be used as transport protocol
// udp UDP to be used as transport protocol
(
static_starts_with_hostaddr
|
static_starts_with_tcp_udp
)
NEWLINE
{
importer->pushNATRule();
}
;
static_starts_with_hostaddr :
static_mapped_addr_match
// Hostname or A.B.C.D Real IP address of the host or hosts
// access-list Configure access-list name after this keyw
static_real_addr_match
static_command_common_last_parameters
;
static_mapped_addr_match :
(
host_addr
{
importer->mapped_a = importer->tmp_a;
importer->mapped_nm = importer->tmp_nm;
}
|
INTRFACE
{
importer->mapped_a = "interface";
importer->mapped_nm = "";
}
)
;
static_real_addr_match :
(
host_addr // real
{
importer->real_a = importer->tmp_a;
importer->real_nm = importer->tmp_nm;
}
|
ACCESS_LIST acl_name:WORD
{
importer->real_addr_acl = acl_name->getText();
}
)
;
static_starts_with_tcp_udp : ( TCP | UDP )
{
importer->protocol = LT(0)->getText();
*dbg << " SERVICE TCP/UDP" << LT(0)->getText() << " ";
}
// Hostname or A.B.C.D Global or mapped address
// interface Global address overload from interface
static_mapped_addr_match
// <0-65535> Enter port number (0 - 65535)
// aol
// bgp
// chargen
tcp_udp_port_spec
{
importer->mapped_port_spec = importer->tmp_port_spec_2;
*dbg << "mapped port " << importer->mapped_port_spec;
}
// Hostname or A.B.C.D Real IP address of the host or hosts
// access-list Configure access-list name after this keyword
static_real_addr_match
// <0-65535> Enter port number (0 - 65535)
// aol
// bgp
// chargen
tcp_udp_port_spec
{
importer->real_port_spec = importer->tmp_port_spec_2;
*dbg << "real port " << importer->real_port_spec;
}
static_command_common_last_parameters
;
static_command_common_last_parameters :
// <0-65535> The maximum number of simultaneous tcp connections
// dns Use the created xlate to rewrite DNS address record
// netmask Configure Netmask to apply to IP addresses
// norandomseq Disable TCP sequence number randomization
// tcp Configure TCP specific parameters
// udp Configure UDP specific parameters
NETMASK nm:IPv4
{
importer->mapped_nm = nm->getText();
}
|
(TCP | UDP)
{
// <0-65535> The maximum number of simultaneous tcp connections
}
|
max_conn:INT_CONST (max_emb_conn:INT_CONST)?
{
importer->static_max_conn = max_conn->getText();
if (max_emb_conn)
importer->static_max_emb_conn = max_emb_conn->getText();
}
;
//****************************************************************
@ -1863,6 +2064,8 @@ tokens
INTERVAL = "interval";
OUTSIDE = "outside";
VLAN = "vlan";
SWITCHPORT = "switchport";
ACCESS = "access";
@ -1922,6 +2125,7 @@ tokens
RANGE = "range";
LOG = "log";
LOG_INPUT = "log-input";
@ -2080,7 +2284,7 @@ NUMBER_ADDRESS_OR_WORD :
)
|
( 'a'..'z' | 'A'..'Z' | '$' )
( '!'..'/' | '0'..'9' | ':' | ';' | '<' | '=' | '>' |
( '!'..'\'' | '*'..'/' | '0'..'9' | ':' | ';' | '<' | '=' | '>' |
'?' | '@' | 'A'..'Z' | '\\' | '^' | '_' | '`' | 'a'..'z' )*
{ _ttype = WORD; }
)

231
src/unit_tests/ImporterTest/test_data/pix7-nat.test Normal file
View File

@ -0,0 +1,231 @@
: Saved
:
PIX Version 7.2(1)
!
terminal width 511
hostname pix1
domain-name some-domain.org
enable password XXXXXXXXXXXXXXXX encrypted
names
name 1.2.3.4 gw
name 192.168.3.0 fake_network
name 192.168.4.1 inside_ip
!
dns-guard
!
interface Ethernet0
no nameif
no security-level
no ip address
!
interface Ethernet0.101
vlan 101
nameif outside
security-level 0
ip address 192.0.2.253 255.255.255.0
!
interface Ethernet0.102
vlan 102
nameif dmz102
security-level 20
ip address 10.0.0.253 255.255.255.0 standby 10.0.0.254
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.206 255.255.255.0
!
interface Ethernet2
description LAN/STATE Failover Interface
speed 10
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet6
!
passwd MMMMMMMMMMMMMMMM encrypted
boot system flash:/pix721.bin
ftp mode passive
clock timezone PDT -7
dns server-group DefaultDNS
domain-name some-domain.org
object-group network outside.id12051X6282.src.net.0
network-object host 10.1.1.206
network-object host 10.1.1.207
object-group network outside.id12051X6282.src.net.1
network-object host 172.17.1.253
network-object host 172.17.1.254
network-object host 192.0.2.253
network-object host 192.0.2.254
object-group network outside.id12051X6282.src.net.2
network-object host 10.0.0.253
network-object host 10.0.0.254
access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.0 any log warnings
access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.1 any log warnings
access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.2 any log warnings
access-list outside_in extended deny ip 10.1.1.0 255.255.255.0 any log warnings
access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.0 10.1.1.0 255.255.255.0 eq domain log warnings
access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.1 10.1.1.0 255.255.255.0 eq domain log warnings
access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.2 10.1.1.0 255.255.255.0 eq domain log warnings
access-list inside_out extended permit ip 10.1.1.0 255.255.255.0 any
access-list inside_out extended deny ip any any log warnings
access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.0 log warnings
access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.1 log warnings
access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.2 log warnings
access-list inside_in extended permit ip 10.1.1.0 255.255.255.0 any
access-list inside_in extended deny ip any any log warnings
access-list id12251X6282.0 extended permit ip 10.1.1.0 255.255.255.0 any
access-list id3DB0F94E.0 permit tcp host 192.168.1.10 eq 25 any
access-list id3DB0F924.0 permit ip 192.168.2.0 255.255.255.0 any
access-list id3DB0F924.0 permit ip 192.168.3.0 255.255.255.0 any
pager lines 24
logging enable
logging emblem
logging trap debugging
logging history informational
logging facility 16
logging queue 10
logging device-id ipaddress inside
logging host inside 192.168.240.20
logging host inside 10.1.1.40 format emblem
logging class config buffered debugging
mtu outside 1500
mtu dmz102 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet2
failover lan enable
failover key *****
failover link failover Ethernet2
failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 1 22.22.22.0 netmask 255.255.255.0
global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0
nat (inside) 1 access-list id12251X6282.0
nat (dmz102) 1 access-list id3DB0F924.0 0 0
static (inside,outside) tcp interface 25 access-list id3DB0F94E.0 0 0
static (inside,dmz102) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz102) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
static (inside,outside) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group inside_out out interface inside
route inside 192.168.10.0 255.255.255.0 10.1.1.254 1
route inside 10.1.2.0 255.255.255.0 10.1.1.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 2:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
username fwbtest password AAAAAAAAAAAAAAAA encrypted privilege 15
aaa authentication ssh console LOCAL
snmp-server host inside 10.1.1.180 community public
snmp-server host inside 10.1.1.30 community public
snmp-server host inside 10.1.1.40 poll community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community public
crypto ipsec transform-set spde esp-des esp-sha-hmac
crypto map spdemap 21 set peer 192.0.2.254
crypto map spdemap 21 set transform-set spde
crypto isakmp identity address
crypto isakmp policy 21
authentication pre-share
encryption des
hash sha
group 1
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.0.2.254 type ipsec-l2l
tunnel-group 192.0.2.254 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh scopy enable
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.1.2.0 255.255.255.0 inside
ssh 192.0.2.100 255.255.255.255 outside
ssh timeout 20
console timeout 0
!
class-map custom_h323_h225_inspection
match port tcp range h323 1721
class-map custom_http_inspection
match port tcp range www 88
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ctiqbe
inspect icmp
inspect ils
inspect mgcp
inspect esmtp
class custom_h323_h225_inspection
inspect h323 h225
class custom_http_inspection
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

34
src/unit_tests/PIXImporterTest/PIXImporterTest.cpp
View File

@ -117,8 +117,10 @@ void PIXImporterTest::compareResults(QueueLogger* logger,
CPPUNIT_ASSERT_MESSAGE(
QString(
"Sizes of the generated importer output and test files are different. "
"Expected: %1 (%2) Obtained: %3 (%4)")
"Sizes of the generated importer output and test files are different.\n"
"Expected: %1 (%2)\n"
"Obtained: %3 (%4)\n"
"diff -u %1 %3 | less -S")
.arg(expected_result_file_name).arg(expected_result.size())
.arg(obtained_result_file_name).arg(obtained_result.size()).toStdString(),
expected_result.size() == obtained_result.size());
@ -154,7 +156,9 @@ void PIXImporterTest::compareFwbFiles(QString expected_result_file_name,
// because they are always going to be different
QString err("Sizes of the generated .fwb and test files are different: \n"
"expected: %1 (%2) obtained: %3 (%4)");
"Expected: %1 (%2)\n"
"Obtained: %3 (%4)\n"
"diff -u %1 %3 | less -S");
CPPUNIT_ASSERT_MESSAGE(
err
@ -205,8 +209,8 @@ void PIXImporterTest::PIX_6_Test()
db->setPredictableIds();
db->saveFile("pix6.fwb");
compareFwbFiles("test_data/pix6.fwb", "pix6.fwb");
compareResults(logger, "test_data/pix6.output", "pix6.output");
compareFwbFiles("test_data/pix6.fwb", "pix6.fwb");
}
void PIXImporterTest::PIX_7_Test()
@ -222,8 +226,8 @@ void PIXImporterTest::PIX_7_Test()
db->setPredictableIds();
db->saveFile("pix7.fwb");
compareFwbFiles("test_data/pix7.fwb", "pix7.fwb");
compareResults(logger, "test_data/pix7.output", "pix7.output");
compareFwbFiles("test_data/pix7.fwb", "pix7.fwb");
}
void PIXImporterTest::ASA_8_0_Test()
@ -239,8 +243,8 @@ void PIXImporterTest::ASA_8_0_Test()
db->setPredictableIds();
db->saveFile("asa8.0.fwb");
compareFwbFiles("test_data/asa8.0.fwb", "asa8.0.fwb");
compareResults(logger, "test_data/asa8.0.output", "asa8.0.output");
compareFwbFiles("test_data/asa8.0.fwb", "asa8.0.fwb");
}
void PIXImporterTest::ASA_8_3_Test()
@ -256,8 +260,8 @@ void PIXImporterTest::ASA_8_3_Test()
db->setPredictableIds();
db->saveFile("asa8.3.fwb");
compareFwbFiles("test_data/asa8.3.fwb", "asa8.3.fwb");
compareResults(logger, "test_data/asa8.3.output", "asa8.3.output");
compareFwbFiles("test_data/asa8.3.fwb", "asa8.3.fwb");
}
void PIXImporterTest::ObjectsAndGroupsTest()
@ -274,8 +278,11 @@ void PIXImporterTest::ObjectsAndGroupsTest()
db->setPredictableIds();
db->saveFile("asa8.3-objects-and-groups.fwb");
compareFwbFiles("test_data/asa8.3-objects-and-groups.fwb", "asa8.3-objects-and-groups.fwb");
compareResults(logger, "test_data/asa8.3-objects-and-groups.output", "asa8.3-objects-and-groups.output");
compareResults(logger,
"test_data/asa8.3-objects-and-groups.output",
"asa8.3-objects-and-groups.output");
compareFwbFiles("test_data/asa8.3-objects-and-groups.fwb",
"asa8.3-objects-and-groups.fwb");
}
void PIXImporterTest::ACLObjectsAndGroupsTest()
@ -291,8 +298,11 @@ void PIXImporterTest::ACLObjectsAndGroupsTest()
db->setPredictableIds();
db->saveFile("asa8.3-acl-object-groups.fwb");
compareFwbFiles("test_data/asa8.3-acl-object-groups.fwb", "asa8.3-acl-object-groups.fwb");
compareResults(logger, "test_data/asa8.3-acl-object-groups.output", "asa8.3-acl-object-groups.output");
compareResults(logger,
"test_data/asa8.3-acl-object-groups.output",
"asa8.3-acl-object-groups.output");
compareFwbFiles("test_data/asa8.3-acl-object-groups.fwb",
"asa8.3-acl-object-groups.fwb");
}
void PIXImporterTest::ACLTest()
@ -308,7 +318,7 @@ void PIXImporterTest::ACLTest()
db->setPredictableIds();
db->saveFile("asa8.3-acl.fwb");
compareFwbFiles("test_data/asa8.3-acl.fwb", "asa8.3-acl.fwb");
compareResults(logger, "test_data/asa8.3-acl.output", "asa8.3-acl.output");
compareFwbFiles("test_data/asa8.3-acl.fwb", "asa8.3-acl.fwb");
}

6
src/unit_tests/PIXImporterTest/test_data/asa8.3-acl.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301451903" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301462592" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -544,7 +544,7 @@
<RuleSetOptions/>
</NAT>
<Policy id="id93" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id95" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="Imported from inside_in&#10;0 ( global) &#10;Created during import of line 127">
<PolicyRule id="id95" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="Imported from inside_in&#10;0 ( global ) &#10;Created during import of line 127">
<Src neg="False">
<ObjectRef ref="id17"/>
</Src>
@ -964,7 +964,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id347" disabled="False" group="" log="True" position="21" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;3 ( global) &#10;Created during import of line 154">
<PolicyRule id="id347" disabled="False" group="" log="True" position="21" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;3 ( global ) &#10;Created during import of line 154">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>

4
src/unit_tests/PIXImporterTest/test_data/asa8.3-acl.output
View File

@ -11,7 +11,7 @@ Interface address: dhcp/
New interface: Ethernet0/0
Interface comment: Switch port 0 / 0
Named object (service) http.0Named object (service) https.0Named object (address) server-1.0Named object (address) Internal_net.0Named object (address) external_net.0Object Group (service) id5102X14531.srv.tcp.0Named object (service) ip2Object Group (protocol) pg1Object Group (network) src-network-group-1Object Group (network) dst-network-group-1Ruleset: inside_in
Rule comment: 0 ( global)
Rule comment: 0 ( global )
Ruleset: inside_in
Ruleset: inside_in
Ruleset: inside_in
@ -34,7 +34,7 @@ Ruleset: inside_in
Ruleset: inside_in
Ruleset: inside_in
Ruleset: inside_in
Rule comment: 3 ( global)
Rule comment: 3 ( global )
Ruleset: inside_in
Ruleset: inside_in
Ruleset: inside_in

9
src/unit_tests/PIXImporterTest/test_data/asa8.3-acl.test
View File

@ -226,12 +226,3 @@ access-group inside_out out interface inside
access-group outside_in in interface outside
access-group outside_out out interface outside
!
! Rule 0 (NAT)
nat (inside,outside) source dynamic Internal_net.0 interface description "0 (NAT)"
!
! Rule 1 (NAT)
nat (outside,inside) source static any any destination static interface server-1.0 service http.0 http.0 description "1 (NAT)"
nat (outside,inside) source static any any destination static interface server-1.0 service https.0 https.0 description "1 (NAT)"

156
src/unit_tests/PIXImporterTest/test_data/asa8.3-nat.test Executable file
View File

@ -0,0 +1,156 @@
: Saved
:
ASA Version 8.3(2)
!
hostname asa5505
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
exit
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
exit
interface Ethernet0/0
description Switch port 0/0
exit
no logging buffered
no logging console
no logging timestamp
no logging on
timeout xlate 0:0:0
timeout conn 0:0:0
timeout udp 0:0:0
timeout sunrpc 0:0:0
timeout h323 0:0:0
timeout sip 0:0:0
timeout sip_media 0:0:0
timeout half-closed 0:0:0
timeout uauth 0:0:0
clear config ssh
aaa authentication ssh console LOCAL
clear config snmp-server
no snmp-server enable traps
clear config ntp
no service resetinbound
no service resetoutside
no sysopt connection timewait
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
service-policy global_policy global
clear xlate
clear config nat
clear config access-list
clear config icmp
clear config telnet
clear config object-group
clear config object
object service http.0
service tcp destination eq 80
exit
object service https.0
service tcp destination eq 443
exit
object network server-1.0
host 192.168.1.100
exit
object network Internal_net.0
subnet 192.168.1.0 255.255.255.0
exit
object network external_net.0
subnet 192.0.2.0 255.255.255.0
object-group service id5102X14531.srv.tcp.0 tcp
port-object eq 80
port-object eq 443
exit
object service ip2
service eigrp
object-group protocol pg1
protocol-object 111
protocol-object ah
protocol-object ip
protocol-object eigrp
object-group network src-network-group-1
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network dst-network-group-1
network-object object external_net.0
object-group network outside.id178211X29963.osrc.net.0
network-object object internal_subnet_1
network-object object internal_subnet_2
!
object-group network outside.id21353X4994.osrc.net.0
network-object object internal_subnet_1
network-object object Internal_net
network-object object internal_subnet_2
!
object-group network outside.id77971X5929.osrc.net.1
network-object object internal_subnet_1
network-object object internal_subnet_2
!################
!
access-list outside_in extended deny ip any any log
! access-group statements
access-group outside_in in interface outside
!
! Rule 0 (NAT)
nat (inside,outside) source dynamic Internal_net.0 interface description "0 (NAT)"
!
! Rule 1 (NAT)
nat (outside,inside) source static any any destination static interface server-1.0 service http.0 http.0 description "1 (NAT)"
nat (outside,inside) source static any any destination static interface server-1.0 service https.0 https.0 description "1 (NAT)"
nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp
nat (inside,outside) source dynamic outside.id21353X4994.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp
nat (outside,inside) source static any any destination static interface hostA:eth0 service http squid
nat (inside,outside) source dynamic outside.id77971X5929.osrc.net.0 outside.id77971X5929.tsrc.net.0 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtp smtp
nat (inside,outside) source dynamic outside.id77971X5929.osrc.net.0 outside.id77971X5929.tsrc.net.1 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtps smtps

124
src/unit_tests/PIXImporterTest/test_data/asa8.3.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301451903" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301464491" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -436,51 +436,81 @@
</ObjectGroup>
<ObjectGroup id="id4" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id5" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id6" name="Groups" comment="" ro="False">
<ObjectGroup id="id7" name="outside.id178211X29963.osrc.net.0" comment="Created during import of line 64" ro="False">
<ObjectRef ref="id19"/>
<ObjectRef ref="id20"/>
</ObjectGroup>
<ObjectGroup id="id10" name="outside.id21353X4994.osrc.net.0" comment="Created during import of line 68" ro="False">
<ObjectRef ref="id19"/>
<ObjectRef ref="id21"/>
<ObjectRef ref="id20"/>
</ObjectGroup>
<ObjectGroup id="id14" name="outside.id77971X5929.osrc.net.1" comment="Created during import of line 73" ro="False">
<ObjectRef ref="id19"/>
<ObjectRef ref="id20"/>
</ObjectGroup>
<ObjectGroup id="id6" name="Groups" comment="" ro="False"/>
<ObjectGroup id="id7" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="id8" name="Networks" comment="" ro="False">
<Network id="id9" name="internal_subnet_1" comment="Internal Subnet 1 &#10;Created during import of line 55" ro="False" address="192.168.1.0" netmask="255.255.255.192"/>
<Network id="id10" name="internal_subnet_2" comment="Internal Subnet 2 &#10;Created during import of line 58" ro="False" address="192.168.1.64" netmask="255.255.255.192"/>
<Network id="id11" name="Internal_net" comment="Created during import of line 60" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id12" name="net-10.10.10.0/255.255.255.0" comment="Created during import of line 92" ro="False" address="10.10.10.0" netmask="255.255.255.0"/>
<Network id="id13" name="net-10.1.1.0/255.255.255.0" comment="Created during import of line 93" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="id17" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="id18" name="Networks" comment="" ro="False">
<Network id="id19" name="internal_subnet_1" comment="Internal Subnet 1 &#10;Created during import of line 55" ro="False" address="192.168.1.0" netmask="255.255.255.192"/>
<Network id="id20" name="internal_subnet_2" comment="Internal Subnet 2 &#10;Created during import of line 58" ro="False" address="192.168.1.64" netmask="255.255.255.192"/>
<Network id="id21" name="Internal_net" comment="Created during import of line 60" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="id22" name="Address Ranges" comment="" ro="False"/>
<ObjectGroup id="id14" name="Address Ranges" comment="" ro="False"/>
</ObjectGroup>
<ServiceGroup id="id23" name="Services" comment="" ro="False">
<ServiceGroup id="id24" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id25" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id26" name="IP" comment="" ro="False">
<IPService id="id27" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" rtralt_value="False" short_fragm="False" ssrr="False" tos="" ts="False" name="ip" comment="Created during import of line 78" ro="False"/>
<ServiceGroup id="id15" name="Services" comment="" ro="False">
<ServiceGroup id="id16" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id17" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id18" name="IP" comment="" ro="False">
<IPService id="id19" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" rtralt_value="False" short_fragm="False" ssrr="False" tos="" ts="False" name="ip" comment="Created during import of line 65" ro="False"/>
</ServiceGroup>
<ServiceGroup id="id28" name="TCP" comment="" ro="False"/>
<ServiceGroup id="id29" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id30" name="Users" comment="" ro="False"/>
<ServiceGroup id="id31" name="Custom" comment="" ro="False"/>
<ServiceGroup id="id32" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="id20" name="TCP" comment="" ro="False">
<TCPService id="id21" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 22:22" comment="Created during import of line 92" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
</ServiceGroup>
<ServiceGroup id="id22" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id23" name="Users" comment="" ro="False"/>
<ServiceGroup id="id24" name="Custom" comment="" ro="False"/>
<ServiceGroup id="id25" name="TagServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id33" name="Firewalls" comment="" ro="False">
<Firewall id="id34" host_OS="pix_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pix" version="8.3" name="asa5505" comment="Created during import of line 5" ro="False">
<NAT id="id38" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<ObjectGroup id="id26" name="Firewalls" comment="" ro="False">
<Firewall id="id27" host_OS="pix_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pix" version="8.3" name="asa5505" comment="Created during import of line 5" ro="False">
<NAT id="id55" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id36" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<Policy id="id29" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id31" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="Imported from ssh_commands_inside&#10;Created during import of line 92">
<Src neg="False">
<ObjectRef ref="id12"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id27"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id21"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id59"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="Imported from ssh_commands_inside&#10;Created during import of line 93">
<Src neg="False">
<ObjectRef ref="id13"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id27"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id21"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id59"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id51" name="outside_acl_in" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id53" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="Created during import of line 78">
<Policy id="id68" name="outside_acl_in" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id70" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="Created during import of line 65">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -488,7 +518,7 @@
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id27"/>
<ServiceRef ref="id19"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
@ -502,20 +532,20 @@
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id40" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<Routing id="id57" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id42" dedicated_failover="False" dyn="True" label="inside" security_level="100" unnum="False" unprotected="False" name="Vlan1" comment="inside interface " ro="False">
<Interface id="id59" dedicated_failover="False" dyn="True" label="inside" security_level="100" unnum="False" unprotected="False" name="Vlan1" comment="inside interface " ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id44" dedicated_failover="False" dyn="False" label="outside" security_level="0" unnum="False" unprotected="False" name="Vlan2" comment="outside interface " ro="False">
<IPv4 id="id45" name="asa5505:Vlan2:ip" comment="Created during import of line 23" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<Interface id="id61" dedicated_failover="False" dyn="False" label="outside" security_level="0" unnum="False" unprotected="False" name="Vlan2" comment="outside interface " ro="False">
<IPv4 id="id62" name="asa5505:Vlan2:ip" comment="Created during import of line 23" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id47" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet0/0" comment="Switch port 0 / 0 " ro="False">
<Interface id="id64" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet0/0" comment="Switch port 0 / 0 " ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id49" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Vlan2020" comment="Created during import of line 30" ro="False">
<Interface id="id66" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Vlan2020" comment="Created during import of line 30" ro="False">
<InterfaceOptions/>
</Interface>
<FirewallOptions>
@ -536,7 +566,7 @@
</FirewallOptions>
</Firewall>
</ObjectGroup>
<ObjectGroup id="id65" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="id66" name="Time" comment="" ro="False"/>
<ObjectGroup id="id82" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="id83" name="Time" comment="" ro="False"/>
</Library>
</FWObjectDatabase>

8
src/unit_tests/PIXImporterTest/test_data/asa8.3.output
View File

@ -33,4 +33,10 @@ New interface: Ethernet0/6
Warning: interface Ethernet0/6 was not imported because it is in "shutdown" mode
New interface: Ethernet0/7
Warning: interface Ethernet0/7 was not imported because it is in "shutdown" mode
Named object (address) internal_subnet_1Named object (address) internal_subnet_2Named object (address) Internal_netNamed object (address) hostA:eth0Object Group (network) outside.id178211X29963.osrc.net.0Object Group (network) outside.id21353X4994.osrc.net.0Object Group (network) outside.id77971X5929.osrc.net.1Ruleset: outside_acl_in
Named object (address) internal_subnet_1Named object (address) internal_subnet_2Named object (address) Internal_netNamed object (address) hostA:eth0Ruleset: outside_acl_in
Parser error: line 91:5: unexpected token: scopy
Ruleset: ssh_commands_inside
Interface Vlan1 ruleset ssh_commands_inside direction 'in'
Ruleset: ssh_commands_inside
Interface Vlan1 ruleset ssh_commands_inside direction 'in'
Parser error: line 95:5: unexpected token: version

18
src/unit_tests/PIXImporterTest/test_data/asa8.3.test
View File

@ -61,19 +61,6 @@ object network Internal_net
object network hostA:eth0
host 192.168.1.10
object-group network outside.id178211X29963.osrc.net.0
network-object object internal_subnet_1
network-object object internal_subnet_2
!
object-group network outside.id21353X4994.osrc.net.0
network-object object internal_subnet_1
network-object object Internal_net
network-object object internal_subnet_2
!
object-group network outside.id77971X5929.osrc.net.1
network-object object internal_subnet_1
network-object object internal_subnet_2
access-list outside_acl_in extended deny ip any any log
pager lines 24
@ -85,11 +72,6 @@ mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp
nat (inside,outside) source dynamic outside.id21353X4994.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp
nat (outside,inside) source static any any destination static interface hostA:eth0 service http squid
nat (inside,outside) source dynamic outside.id77971X5929.osrc.net.0 outside.id77971X5929.tsrc.net.0 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtp smtp
nat (inside,outside) source dynamic outside.id77971X5929.osrc.net.0 outside.id77971X5929.tsrc.net.1 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtps smtps
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

32
src/unit_tests/PIXImporterTest/test_data/pix6.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301451903" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301462978" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -880,7 +880,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id292" disabled="False" group="" log="False" position="18" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;1 ( global) &#10;Created during import of line 86">
<PolicyRule id="id292" disabled="False" group="" log="False" position="18" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;1 ( global ) &#10;Created during import of line 86">
<Src neg="False">
<ObjectRef ref="id17"/>
</Src>
@ -920,7 +920,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id316" disabled="False" group="" log="False" position="20" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;5 ( global) &#10;Created during import of line 94">
<PolicyRule id="id316" disabled="False" group="" log="False" position="20" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;5 ( global ) &#10;Created during import of line 94">
<Src neg="False">
<ObjectRef ref="id3"/>
</Src>
@ -940,7 +940,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id328" disabled="False" group="" log="False" position="21" action="Deny" direction="Inbound" comment="Imported from inside_acl_in&#10;6 ( global) &#10;Created during import of line 96">
<PolicyRule id="id328" disabled="False" group="" log="False" position="21" action="Deny" direction="Inbound" comment="Imported from inside_acl_in&#10;6 ( global ) &#10;Created during import of line 96">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -960,7 +960,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id340" disabled="False" group="" log="False" position="22" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;7 ( global) &#10;Created during import of line 98">
<PolicyRule id="id340" disabled="False" group="" log="False" position="22" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;7 ( global ) &#10;Created during import of line 98">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -980,7 +980,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id352" disabled="False" group="" log="False" position="23" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;17 ( global) &#10;Created during import of line 107">
<PolicyRule id="id352" disabled="False" group="" log="False" position="23" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;17 ( global ) &#10;Created during import of line 107">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1020,7 +1020,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id376" disabled="False" group="" log="False" position="25" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;18 ( global) &#10;Created during import of line 110">
<PolicyRule id="id376" disabled="False" group="" log="False" position="25" action="Accept" direction="Inbound" comment="Imported from inside_acl_in&#10;18 ( global ) &#10;Created during import of line 110">
<Src neg="False">
<ObjectRef ref="id17"/>
</Src>
@ -1040,7 +1040,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id388" disabled="False" group="" log="True" position="26" action="Deny" direction="Inbound" comment="Imported from inside_acl_in&#10;19 ( global) ' catch all' rule &#10;Created during import of line 113">
<PolicyRule id="id388" disabled="False" group="" log="True" position="26" action="Deny" direction="Inbound" comment="Imported from inside_acl_in&#10;19 ( global ) ' catch all' rule &#10;Created during import of line 113">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1061,7 +1061,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id400" disabled="False" group="" log="True" position="27" action="Deny" direction="Inbound" comment="Imported from outside_acl_in&#10;0 ( ethernet0) &#10;Created during import of line 53">
<PolicyRule id="id400" disabled="False" group="" log="True" position="27" action="Deny" direction="Inbound" comment="Imported from outside_acl_in&#10;0 ( ethernet0 ) &#10;Created during import of line 53">
<Src neg="False">
<ObjectRef ref="id3"/>
</Src>
@ -1103,7 +1103,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id424" disabled="False" group="" log="False" position="29" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;3 ( global) &#10;Created during import of line 56">
<PolicyRule id="id424" disabled="False" group="" log="False" position="29" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;3 ( global ) &#10;Created during import of line 56">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1123,7 +1123,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id436" disabled="False" group="" log="False" position="30" action="Deny" direction="Inbound" comment="Imported from outside_acl_in&#10;4 ( global) fw uses DHCP plus many DHCP requests from cable modem 6 ( global) &#10;Created during import of line 65">
<PolicyRule id="id436" disabled="False" group="" log="False" position="30" action="Deny" direction="Inbound" comment="Imported from outside_acl_in&#10;4 ( global ) fw uses DHCP plus many DHCP requests from cable modem 6 ( global ) &#10;Created during import of line 65">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1143,7 +1143,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id448" disabled="False" group="" log="False" position="31" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;7 ( global) &#10;Created during import of line 67">
<PolicyRule id="id448" disabled="False" group="" log="False" position="31" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;7 ( global ) &#10;Created during import of line 67">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1163,7 +1163,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id460" disabled="False" group="" log="False" position="32" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;10 ( global) using swatch to automatically block probing ssh connections, so no need to limit &#10;Created during import of line 72">
<PolicyRule id="id460" disabled="False" group="" log="False" position="32" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;10 ( global ) using swatch to automatically block probing ssh connections, so no need to limit &#10;Created during import of line 72">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1203,7 +1203,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id484" disabled="False" group="" log="False" position="34" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;11 ( global) &#10;Created during import of line 76">
<PolicyRule id="id484" disabled="False" group="" log="False" position="34" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;11 ( global ) &#10;Created during import of line 76">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1243,7 +1243,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id508" disabled="False" group="" log="False" position="36" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;17 ( global) &#10;Created during import of line 80">
<PolicyRule id="id508" disabled="False" group="" log="False" position="36" action="Accept" direction="Inbound" comment="Imported from outside_acl_in&#10;17 ( global ) &#10;Created during import of line 80">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1283,7 +1283,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id532" disabled="False" group="" log="True" position="38" action="Deny" direction="Inbound" comment="Imported from outside_acl_in&#10;19 ( global) ' catch all' rule &#10;Created during import of line 84">
<PolicyRule id="id532" disabled="False" group="" log="True" position="38" action="Deny" direction="Inbound" comment="Imported from outside_acl_in&#10;19 ( global ) ' catch all' rule &#10;Created during import of line 84">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>

32
src/unit_tests/PIXImporterTest/test_data/pix6.output
View File

@ -6,14 +6,14 @@ Interface parameters: ethernet1 inside security100
Host name: guardian
Parser warning: "names" section detected. Import of configuration that uses "names" is not supported at this time
Object Group (icmp) inside.id12349X2458.srv.icmp.0Object Group (icmp) outside.id12363X2458.srv.icmp.0Object Group (service) outside.id12376X2458.srv.udp.0Object Group (service) outside.id12438X2458.srv.tcp.0Object Group (service) outside.id12466X2458.srv.tcp.0Ruleset: outside_acl_in
Rule comment: 0 ( ethernet0)
Rule comment: 0 ( ethernet0 )
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Rule comment: 3 ( global)
Rule comment: 3 ( global )
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Rule comment: 4 ( global)
Rule comment: 4 ( global )
Ruleset: outside_acl_in
Rule comment: fw uses DHCP
Ruleset: outside_acl_in
@ -21,13 +21,13 @@ Rule comment: plus many DHCP requests
Ruleset: outside_acl_in
Rule comment: from cable modem
Ruleset: outside_acl_in
Rule comment: 6 ( global)
Rule comment: 6 ( global )
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Rule comment: 7 ( global)
Rule comment: 7 ( global )
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Rule comment: 10 ( global)
Rule comment: 10 ( global )
Ruleset: outside_acl_in
Rule comment: using swatch to automatically
Ruleset: outside_acl_in
@ -37,40 +37,40 @@ Rule comment: need to limit
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Rule comment: 11 ( global)
Rule comment: 11 ( global )
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Rule comment: 17 ( global)
Rule comment: 17 ( global )
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Ruleset: outside_acl_in
Rule comment: 19 ( global)
Rule comment: 19 ( global )
Ruleset: outside_acl_in
Rule comment: ' catch all' rule
Ruleset: outside_acl_in
Ruleset: inside_acl_in
Rule comment: 1 ( global)
Rule comment: 1 ( global )
Ruleset: inside_acl_in
Ruleset: inside_acl_in
Ruleset: inside_acl_in
Rule comment: 5 ( global)
Rule comment: 5 ( global )
Ruleset: inside_acl_in
Ruleset: inside_acl_in
Rule comment: 6 ( global)
Rule comment: 6 ( global )
Ruleset: inside_acl_in
Ruleset: inside_acl_in
Rule comment: 7 ( global)
Rule comment: 7 ( global )
Ruleset: inside_acl_in
Ruleset: inside_acl_in
Rule comment: 17 ( global)
Rule comment: 17 ( global )
Ruleset: inside_acl_in
Ruleset: inside_acl_in
Ruleset: inside_acl_in
Rule comment: 18 ( global)
Rule comment: 18 ( global )
Ruleset: inside_acl_in
Ruleset: inside_acl_in
Rule comment: 19 ( global)
Rule comment: 19 ( global )
Ruleset: inside_acl_in
Rule comment: ' catch all' rule
Ruleset: inside_acl_in

214
src/unit_tests/PIXImporterTest/test_data/pix7-nat.test Normal file
View File

@ -0,0 +1,214 @@
: Saved
:
PIX Version 7.2(1)
!
terminal width 511
hostname pix1
domain-name some-domain.org
enable password XXXXXXXXXXXXXXXX encrypted
names
name 1.2.3.4 gw
name 192.168.3.0 fake_network
name 192.168.4.1 inside_ip
!
dns-guard
!
interface Ethernet0
no nameif
no security-level
no ip address
!
interface Ethernet0.101
vlan 101
nameif outside
security-level 0
ip address 192.0.2.253 255.255.255.0
!
interface Ethernet0.102
vlan 102
nameif dmz20
security-level 20
ip address 10.0.0.253 255.255.255.0 standby 10.0.0.254
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.206 255.255.255.0
!
interface Ethernet2
description LAN/STATE Failover Interface
speed 10
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet6
!
passwd MMMMMMMMMMMMMMMM encrypted
boot system flash:/pix721.bin
ftp mode passive
clock timezone PDT -7
dns server-group DefaultDNS
domain-name some-domain.org
object-group network outside.id12051X6282.src.net.0
network-object host 10.1.1.206
network-object host 10.1.1.207
object-group network outside.id12051X6282.src.net.1
network-object host 172.17.1.253
network-object host 172.17.1.254
network-object host 192.0.2.253
network-object host 192.0.2.254
object-group network outside.id12051X6282.src.net.2
network-object host 10.0.0.253
network-object host 10.0.0.254
access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.0 any log warnings
access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.1 any log warnings
access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.2 any log warnings
access-list outside_in extended deny ip 10.1.1.0 255.255.255.0 any log warnings
access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.0 10.1.1.0 255.255.255.0 eq domain log warnings
access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.1 10.1.1.0 255.255.255.0 eq domain log warnings
access-list inside_out extended permit udp object-group outside.id12051X6282.src.net.2 10.1.1.0 255.255.255.0 eq domain log warnings
access-list inside_out extended permit ip 10.1.1.0 255.255.255.0 any
access-list inside_out extended deny ip any any log warnings
access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.0 log warnings
access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.1 log warnings
access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.2 log warnings
access-list inside_in extended permit ip 10.1.1.0 255.255.255.0 any
access-list inside_in extended deny ip any any log warnings
access-list id12251X6282.0 extended permit ip 10.1.1.0 255.255.255.0 any
access-group inside_in in interface inside
access-group outside_in in interface outside
pager lines 24
logging enable
logging emblem
logging trap debugging
logging history informational
logging facility 16
logging queue 10
logging device-id ipaddress inside
logging host inside 192.168.240.20
logging host inside 10.1.1.40 format emblem
logging class config buffered debugging
mtu outside 1500
mtu dmz20 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet2
failover lan enable
failover key *****
failover link failover Ethernet2
failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 access-list id12251X6282.0
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group inside_out out interface inside
route inside 192.168.10.0 255.255.255.0 10.1.1.254 1
route inside 10.1.2.0 255.255.255.0 10.1.1.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 2:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
username fwbtest password AAAAAAAAAAAAAAAA encrypted privilege 15
aaa authentication ssh console LOCAL
snmp-server host inside 10.1.1.180 community public
snmp-server host inside 10.1.1.30 community public
snmp-server host inside 10.1.1.40 poll community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community public
crypto ipsec transform-set spde esp-des esp-sha-hmac
crypto map spdemap 21 set peer 192.0.2.254
crypto map spdemap 21 set transform-set spde
crypto isakmp identity address
crypto isakmp policy 21
authentication pre-share
encryption des
hash sha
group 1
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.0.2.254 type ipsec-l2l
tunnel-group 192.0.2.254 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh scopy enable
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.1.2.0 255.255.255.0 inside
ssh 192.0.2.100 255.255.255.255 outside
ssh timeout 20
console timeout 0
!
class-map custom_h323_h225_inspection
match port tcp range h323 1721
class-map custom_http_inspection
match port tcp range www 88
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ctiqbe
inspect icmp
inspect ils
inspect mgcp
inspect esmtp
class custom_h323_h225_inspection
inspect h323 h225
class custom_http_inspection
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

537
src/unit_tests/PIXImporterTest/test_data/pix7.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301451903" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301462430" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -440,126 +440,67 @@
<IPv4 id="id8" name="h-192.0.2.254" comment="Created during import of line 77" ro="False" address="192.0.2.254" netmask="255.255.255.255"/>
<IPv4 id="id9" name="h-10.0.0.253" comment="Created during import of line 79" ro="False" address="10.0.0.253" netmask="255.255.255.255"/>
<IPv4 id="id10" name="h-10.0.0.254" comment="Created during import of line 80" ro="False" address="10.0.0.254" netmask="255.255.255.255"/>
<IPv4 id="id11" name="h-192.0.2.100" comment="Created during import of line 166" ro="False" address="192.0.2.100" netmask="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="id11" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id12" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id13" name="Groups" comment="" ro="False">
<ObjectGroup id="id14" name="outside.id12051X6282.src.net.0" comment="Created during import of line 70" ro="False">
<ObjectGroup id="id12" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id13" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id14" name="Groups" comment="" ro="False">
<ObjectGroup id="id15" name="outside.id12051X6282.src.net.0" comment="Created during import of line 70" ro="False">
<ObjectRef ref="id3"/>
<ObjectRef ref="id4"/>
</ObjectGroup>
<ObjectGroup id="id17" name="outside.id12051X6282.src.net.1" comment="Created during import of line 73" ro="False">
<ObjectGroup id="id18" name="outside.id12051X6282.src.net.1" comment="Created during import of line 73" ro="False">
<ObjectRef ref="id5"/>
<ObjectRef ref="id6"/>
<ObjectRef ref="id7"/>
<ObjectRef ref="id8"/>
</ObjectGroup>
<ObjectGroup id="id22" name="outside.id12051X6282.src.net.2" comment="Created during import of line 78" ro="False">
<ObjectGroup id="id23" name="outside.id12051X6282.src.net.2" comment="Created during import of line 78" ro="False">
<ObjectRef ref="id9"/>
<ObjectRef ref="id10"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="id25" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="id26" name="Networks" comment="" ro="False">
<Network id="id27" name="net-10.1.1.0/255.255.255.0" comment="Created during import of line 84" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
<ObjectGroup id="id26" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="id27" name="Networks" comment="" ro="False">
<Network id="id28" name="net-10.1.1.0/255.255.255.0" comment="Created during import of line 84" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
<Network id="id29" name="net-10.1.2.0/255.255.255.0" comment="Created during import of line 165" ro="False" address="10.1.2.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="id28" name="Address Ranges" comment="" ro="False"/>
<ObjectGroup id="id30" name="Address Ranges" comment="" ro="False"/>
</ObjectGroup>
<ServiceGroup id="id29" name="Services" comment="" ro="False">
<ServiceGroup id="id30" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id31" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id32" name="IP" comment="" ro="False">
<IPService id="id33" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" rtralt_value="False" short_fragm="False" ssrr="False" tos="" ts="False" name="ip" comment="Created during import of line 81" ro="False"/>
<ServiceGroup id="id31" name="Services" comment="" ro="False">
<ServiceGroup id="id32" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id33" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id34" name="IP" comment="" ro="False">
<IPService id="id35" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" rtralt_value="False" short_fragm="False" ssrr="False" tos="" ts="False" name="ip" comment="Created during import of line 81" ro="False"/>
</ServiceGroup>
<ServiceGroup id="id34" name="TCP" comment="" ro="False"/>
<ServiceGroup id="id35" name="UDP" comment="" ro="False">
<UDPService id="id36" name="udp 0:0 / 53:53" comment="Created during import of line 85" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<ServiceGroup id="id36" name="TCP" comment="" ro="False">
<TCPService id="id37" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 22:22" comment="Created during import of line 164" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
</ServiceGroup>
<ServiceGroup id="id37" name="Users" comment="" ro="False"/>
<ServiceGroup id="id38" name="Custom" comment="" ro="False"/>
<ServiceGroup id="id39" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="id38" name="UDP" comment="" ro="False">
<UDPService id="id39" name="udp 0:0 / 53:53" comment="Created during import of line 85" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
</ServiceGroup>
<ServiceGroup id="id40" name="Users" comment="" ro="False"/>
<ServiceGroup id="id41" name="Custom" comment="" ro="False"/>
<ServiceGroup id="id42" name="TagServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id40" name="Firewalls" comment="" ro="False">
<Firewall id="id41" host_OS="pix_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pix" version="7.0" name="pix1" comment="Created during import of line 6" ro="False">
<NAT id="id153" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<ObjectGroup id="id43" name="Firewalls" comment="" ro="False">
<Firewall id="id44" host_OS="pix_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pix" version="7.0" name="pix1" comment="Created during import of line 6" ro="False">
<NAT id="id252" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id43" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id45" disabled="False" group="" log="True" position="0" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 90">
<Policy id="id46" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id48" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="Imported from ssh_commands_outside&#10;Created during import of line 166">
<Src neg="False">
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id11"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id14"/>
<ObjectRef ref="id44"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
<ServiceRef ref="id37"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id165"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id57" disabled="False" group="" log="True" position="1" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 91">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id17"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id165"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id69" disabled="False" group="" log="True" position="2" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 92">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id22"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id165"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id81" disabled="False" group="" log="False" position="3" action="Accept" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 93">
<Src neg="False">
<ObjectRef ref="id27"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id165"/>
<ObjectRef ref="id258"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
@ -568,18 +509,58 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id93" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 94">
<PolicyRule id="id60" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="Imported from ssh_commands_inside&#10;Created during import of line 164">
<Src neg="False">
<ObjectRef ref="id28"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id37"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id72" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="Imported from ssh_commands_inside&#10;Created during import of line 165">
<Src neg="False">
<ObjectRef ref="id29"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id44"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id37"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id84" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 90">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id15"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id165"/>
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
@ -589,18 +570,18 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id105" disabled="False" group="" log="True" position="5" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 81">
<PolicyRule id="id96" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 91">
<Src neg="False">
<ObjectRef ref="id14"/>
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id18"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id159"/>
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
@ -610,18 +591,18 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id117" disabled="False" group="" log="True" position="6" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 82">
<PolicyRule id="id108" disabled="False" group="" log="True" position="5" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 92">
<Src neg="False">
<ObjectRef ref="id17"/>
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id23"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id159"/>
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
@ -631,18 +612,38 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id129" disabled="False" group="" log="True" position="7" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 83">
<PolicyRule id="id120" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 93">
<Src neg="False">
<ObjectRef ref="id22"/>
<ObjectRef ref="id28"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id159"/>
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id132" disabled="False" group="" log="True" position="7" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 94">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
@ -652,18 +653,185 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id141" disabled="False" group="" log="True" position="8" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 84">
<PolicyRule id="id144" disabled="False" group="" log="True" position="8" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 85">
<Src neg="False">
<ObjectRef ref="id27"/>
<ObjectRef ref="id15"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id28"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id39"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id156" disabled="False" group="" log="True" position="9" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 86">
<Src neg="False">
<ObjectRef ref="id18"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id28"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id39"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id168" disabled="False" group="" log="True" position="10" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 87">
<Src neg="False">
<ObjectRef ref="id23"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id28"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id39"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id180" disabled="False" group="" log="False" position="11" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 88">
<Src neg="False">
<ObjectRef ref="id28"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id159"/>
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id192" disabled="False" group="" log="True" position="12" action="Deny" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 89">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id264"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id204" disabled="False" group="" log="True" position="13" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 81">
<Src neg="False">
<ObjectRef ref="id15"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id258"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id216" disabled="False" group="" log="True" position="14" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 82">
<Src neg="False">
<ObjectRef ref="id18"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id258"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id228" disabled="False" group="" log="True" position="15" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 83">
<Src neg="False">
<ObjectRef ref="id23"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id258"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id240" disabled="False" group="" log="True" position="16" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 84">
<Src neg="False">
<ObjectRef ref="id28"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id258"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
@ -675,16 +843,16 @@
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id170" name="id12251X6282.0" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id172" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="Created during import of line 95">
<Policy id="id269" name="id12251X6282.0" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id271" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="Created during import of line 95">
<Src neg="False">
<ObjectRef ref="id27"/>
<ObjectRef ref="id28"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
<ServiceRef ref="id35"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
@ -698,138 +866,31 @@
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id184" name="inside_out" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id186" disabled="False" group="" log="True" position="0" action="Accept" direction="Both" comment="Created during import of line 85">
<Src neg="False">
<ObjectRef ref="id14"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id27"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id36"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id198" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="Created during import of line 86">
<Src neg="False">
<ObjectRef ref="id17"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id27"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id36"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id210" disabled="False" group="" log="True" position="2" action="Accept" direction="Both" comment="Created during import of line 87">
<Src neg="False">
<ObjectRef ref="id22"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id27"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id36"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id222" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="Created during import of line 88">
<Src neg="False">
<ObjectRef ref="id27"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id234" disabled="False" group="" log="True" position="4" action="Deny" direction="Both" comment="Created during import of line 89">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id33"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id155" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<Routing id="id254" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id157" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet0" comment="Created during import of line 16" ro="False">
<Interface id="id256" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet0" comment="Created during import of line 16" ro="False">
<InterfaceOptions/>
<Interface id="id159" dedicated_failover="False" dyn="False" label="outside" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="Created during import of line 21" ro="False">
<IPv4 id="id161" name="pix1:Ethernet0.101:ip" comment="Created during import of line 24" ro="False" address="192.0.2.253" netmask="255.255.255.0"/>
<Interface id="id258" dedicated_failover="False" dyn="False" label="outside" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="Created during import of line 21" ro="False">
<IPv4 id="id260" name="pix1:Ethernet0.101:ip" comment="Created during import of line 24" ro="False" address="192.0.2.253" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">101</Option>
</InterfaceOptions>
</Interface>
<Interface id="id162" dedicated_failover="False" dyn="False" label="dmz20" security_level="20" unnum="False" unprotected="False" name="Ethernet0.102" comment="Created during import of line 27" ro="False">
<IPv4 id="id164" name="pix1:Ethernet0.102:ip" comment="Created during import of line 30" ro="False" address="10.0.0.253" netmask="255.255.255.0"/>
<Interface id="id261" dedicated_failover="False" dyn="False" label="dmz20" security_level="20" unnum="False" unprotected="False" name="Ethernet0.102" comment="Created during import of line 27" ro="False">
<IPv4 id="id263" name="pix1:Ethernet0.102:ip" comment="Created during import of line 30" ro="False" address="10.0.0.253" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">102</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id165" dedicated_failover="False" dyn="False" label="inside" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment="Created during import of line 33" ro="False">
<IPv4 id="id166" name="pix1:Ethernet1:ip" comment="Created during import of line 37" ro="False" address="10.1.1.206" netmask="255.255.255.0"/>
<Interface id="id264" dedicated_failover="False" dyn="False" label="inside" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment="Created during import of line 33" ro="False">
<IPv4 id="id265" name="pix1:Ethernet1:ip" comment="Created during import of line 37" ro="False" address="10.1.1.206" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id168" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet2" comment="LAN/STATE Failover Interface " ro="False">
<Interface id="id267" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet2" comment="LAN/STATE Failover Interface " ro="False">
<InterfaceOptions/>
</Interface>
<FirewallOptions>
@ -850,7 +911,7 @@
</FirewallOptions>
</Firewall>
</ObjectGroup>
<ObjectGroup id="id246" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="id247" name="Time" comment="" ro="False"/>
<ObjectGroup id="id283" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="id284" name="Time" comment="" ro="False"/>
</Library>
</FWObjectDatabase>

10
src/unit_tests/PIXImporterTest/test_data/pix7.output
View File

@ -45,3 +45,13 @@ Ruleset: inside_in
Ruleset: id12251X6282.0
Interface Ethernet1 ruleset inside_in direction 'in'
Interface Ethernet0.101 ruleset outside_in direction 'in'
Interface Ethernet0.101 ruleset outside_in direction 'in'
Interface Ethernet1 ruleset inside_in direction 'in'
Interface Ethernet1 ruleset inside_out direction 'out'
Parser error: line 163:5: unexpected token: scopy
Ruleset: ssh_commands_inside
Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
Ruleset: ssh_commands_inside
Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
Ruleset: ssh_commands_outside
Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in'

3
src/unit_tests/PIXImporterTest/test_data/pix7.test
View File

@ -120,9 +120,6 @@ failover link failover Ethernet2
failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 access-list id12251X6282.0
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group inside_out out interface inside