* PIXImporterNat.cpp (buildSNATRule): see #2310 "Imported global /

nat rule has wrong interface defined". Importer mixed up inbound and outbound interfaces in NAT commands created from combination of "global" and "nat" PIX/ASA commands.
2026-03-23 11:47:24 +01:00 · 2011-04-05 19:06:35 -07:00 · 2011-04-05 19:06:35 -07:00 · 55da233d22
commit 55da233d22
parent 6fdbb3ecce
3 changed files with 26 additions and 21 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,10 @@
 2011-04-05  vadim  <vadim@netcitadel.com>

+	* PIXImporterNat.cpp (buildSNATRule): see #2310 "Imported global /
+	nat rule has wrong interface defined". Importer mixed up inbound
+	and outbound interfaces in NAT commands created from combination
+	of "global" and "nat" PIX/ASA commands.
+
 	* pix.g (nat_new_top_level_command): since import of ASA8.3
 	"new" nat commands is not implemented yet, importer should issue
 	a warning when such command is encountered. See #2315
--- a/src/import/PIXImporterNat.cpp
+++ b/src/import/PIXImporterNat.cpp
@ -327,11 +327,11 @@ void PIXImporter::buildSNATRule()

        RuleElement *itf_i_re = rule->getItfInb();
        assert(itf_i_re!=NULL);
-        itf_i_re->addRef(post_intf);
+        itf_i_re->addRef(pre_intf);

        RuleElement *itf_o_re = rule->getItfOutb();
        assert(itf_o_re!=NULL);
-        itf_o_re->addRef(pre_intf);
+        itf_o_re->addRef(post_intf);

        // add it to the current ruleset
        current_ruleset->ruleset->add(rule);
--- a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb
+++ b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301701671" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1302055569" id="root">
  <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
    <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -542,10 +542,10 @@
              <ServiceRef ref="sysid1"/>
            </TSrv>
            <ItfInb neg="False">
-              <ObjectRef ref="id598"/>
+              <ObjectRef ref="id604"/>
            </ItfInb>
            <ItfOutb neg="False">
-              <ObjectRef ref="id604"/>
+              <ObjectRef ref="id598"/>
            </ItfOutb>
            <NATRuleOptions/>
          </NATRule>
@ -569,10 +569,10 @@
              <ServiceRef ref="sysid1"/>
            </TSrv>
            <ItfInb neg="False">
-              <ObjectRef ref="id598"/>
+              <ObjectRef ref="id604"/>
            </ItfInb>
            <ItfOutb neg="False">
-              <ObjectRef ref="id604"/>
+              <ObjectRef ref="id598"/>
            </ItfOutb>
            <NATRuleOptions/>
          </NATRule>
@ -596,10 +596,10 @@
              <ServiceRef ref="sysid1"/>
            </TSrv>
            <ItfInb neg="False">
-              <ObjectRef ref="id598"/>
+              <ObjectRef ref="id604"/>
            </ItfInb>
            <ItfOutb neg="False">
-              <ObjectRef ref="id604"/>
+              <ObjectRef ref="id598"/>
            </ItfOutb>
            <NATRuleOptions/>
          </NATRule>
@ -623,10 +623,10 @@
              <ServiceRef ref="sysid1"/>
            </TSrv>
            <ItfInb neg="False">
-              <ObjectRef ref="id598"/>
+              <ObjectRef ref="id604"/>
            </ItfInb>
            <ItfOutb neg="False">
-              <ObjectRef ref="id604"/>
+              <ObjectRef ref="id598"/>
            </ItfOutb>
            <NATRuleOptions/>
          </NATRule>
@ -650,10 +650,10 @@
              <ServiceRef ref="sysid1"/>
            </TSrv>
            <ItfInb neg="False">
-              <ObjectRef ref="id601"/>
+              <ObjectRef ref="id604"/>
            </ItfInb>
            <ItfOutb neg="False">
-              <ObjectRef ref="id604"/>
+              <ObjectRef ref="id601"/>
            </ItfOutb>
            <NATRuleOptions/>
          </NATRule>
@ -677,10 +677,10 @@
              <ServiceRef ref="sysid1"/>
            </TSrv>
            <ItfInb neg="False">
-              <ObjectRef ref="id598"/>
+              <ObjectRef ref="id604"/>
            </ItfInb>
            <ItfOutb neg="False">
-              <ObjectRef ref="id604"/>
+              <ObjectRef ref="id598"/>
            </ItfOutb>
            <NATRuleOptions/>
          </NATRule>
@ -704,10 +704,10 @@
              <ServiceRef ref="sysid1"/>
            </TSrv>
            <ItfInb neg="False">
-              <ObjectRef ref="id598"/>
+              <ObjectRef ref="id604"/>
            </ItfInb>
            <ItfOutb neg="False">
-              <ObjectRef ref="id604"/>
+              <ObjectRef ref="id598"/>
            </ItfOutb>
            <NATRuleOptions/>
          </NATRule>
@ -731,10 +731,10 @@
              <ServiceRef ref="sysid1"/>
            </TSrv>
            <ItfInb neg="False">
-              <ObjectRef ref="id598"/>
+              <ObjectRef ref="id604"/>
            </ItfInb>
            <ItfOutb neg="False">
-              <ObjectRef ref="id604"/>
+              <ObjectRef ref="id598"/>
            </ItfOutb>
            <NATRuleOptions/>
          </NATRule>
@ -758,10 +758,10 @@
              <ServiceRef ref="sysid1"/>
            </TSrv>
            <ItfInb neg="False">
-              <ObjectRef ref="id601"/>
+              <ObjectRef ref="id604"/>
            </ItfInb>
            <ItfOutb neg="False">
-              <ObjectRef ref="id604"/>
+              <ObjectRef ref="id601"/>
            </ItfOutb>
            <NATRuleOptions/>
          </NATRule>