onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

see #1942, #1943 fixed generation of the

Browse Source 
"object-group" statements by adding protocol keyword at the end so
that the group can be used in access-list commands.
This commit is contained in:
Vadim Kurland 2011-01-18 19:36:01 -08:00
parent 15f8ba513c
commit 701100b905
23 changed files with 479 additions and 453 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -23,7 +23,7 @@ core
build_num build_num
test/ipt/secuwall-1 test/ipt/secuwall-1
Makefile Makefile
!test/ipt/Makefile !test/*/Makefile
install* install*
ltmain.sh ltmain.sh
configure configure

10
doc/ChangeLog
View File

@ -1,3 +1,13 @@
2011-01-18 Vadim Kurland <vadim@netcitadel.com>
* PIXObjectGroup.cpp: see #1942, #1943 fixed generation of the
"object-group" statements by adding protocol keyword at the end so
that the group can be used in access-list commands. It looks like
mixed service groups that have no protocol keyword at the end of
the line that defines them cause error "specified object group
<foo> has wrong type; expecting service type". I am going to avoid
using mixed service groups because of this.
2011-01-17 vadim <vadim@netcitadel.com> 2011-01-17 vadim <vadim@netcitadel.com>
* ASA8TwiceNatLogic.cpp (getAutomaticType): fixes #1916 "nat rule * ASA8TwiceNatLogic.cpp (getAutomaticType): fixes #1916 "nat rule

122
src/cisco_lib/ASA8ObjectGroup.cpp
View File

@ -46,106 +46,21 @@ using namespace fwcompiler;
const char *ASA8ObjectGroup::TYPENAME={"ASA8ObjectGroup"}; const char *ASA8ObjectGroup::TYPENAME={"ASA8ObjectGroup"};
string ASA8ObjectGroup::toString(NamedObjectManager *named_object_manager)
throw(FWException) string ASA8ObjectGroup::groupMemberToString(
FWObject *obj, NamedObjectManager *named_object_manager)
throw(libfwbuilder::FWException)
{ {
ostringstream ostr;
if (this->size()==0) return "";
ostr << getObjectGroupHeader();
for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
NamedObject *named_object = NamedObject *named_object =
named_object_manager->named_objects[obj->getId()]; named_object_manager->named_objects[obj->getId()];
if (named_object) if (named_object)
{ {
ostr << " " return named_object->getCommandWhenObjectGroupMember(
<< named_object->getCommandWhenObjectGroupMember(
named_object_manager->fw).toStdString(); named_object_manager->fw).toStdString();
ostr << endl;
continue;
} }
if (this->getObjectGroupType() == NETWORK) return PIXObjectGroup::groupMemberToString(obj, named_object_manager);
{
Address *a = Address::cast(obj);
assert(a!=NULL);
const InetAddr *addr = a->getAddressPtr();
ostr << " network-object ";
if (Network::cast(obj)!=NULL)
{
const InetAddr *mask = a->getNetmaskPtr();
ostr << addr->toString() << " ";
ostr << mask->toString() << " ";
} else {
ostr << " host ";
ostr << addr->toString() << " ";
}
ostr << endl;
continue;
} else
{
if (IPService::isA(obj))
{
ostr << " service-object ";
Service *s = Service::cast(obj);
assert(s!=NULL);
ostr << s->getProtocolName();
ostr << endl;
continue;
}
if (ICMPService::isA(obj))
{
ostr << " service-object icmp ";
ICMPService *s = ICMPService::cast(obj);
assert(s!=NULL);
if ( s->getInt("type")== -1)
ostr << ""; // no keyword "any" anymore
else
ostr << s->getInt("type");
ostr << endl;
continue;
}
if (TCPService::isA(obj) || UDPService::isA(obj))
{
ostr << " service-object ";
ostr << ((TCPService::isA(obj))? "tcp " : "udp ");
Service *s = Service::cast(obj);
assert(s!=NULL);
int rs = TCPUDPService::cast(s)->getDstRangeStart();
int re = TCPUDPService::cast(s)->getDstRangeEnd();
if (rs<0) rs = 0;
if (re<0) re = 0;
if (rs>0 || re>0) {
if (rs==re) ostr << "eq " << rs;
else ostr << "range " << rs << " " << re;
}
else ostr << "range 0 65535";
ostr << endl;
continue;
}
QString err("ASA8ObjectGroup: Unsupported object '%1' found in object group");
throw FWException(err.arg(obj->getName().c_str()).toStdString());
}
}
ostr << " exit" << endl << endl;
return ostr.str();
} }
string ASA8ObjectGroup::getObjectGroupClass() string ASA8ObjectGroup::getObjectGroupClass()
@ -157,28 +72,3 @@ string ASA8ObjectGroup::getObjectGroupClass()
} }
} }
string ASA8ObjectGroup::getObjectGroupHeader()
{
ostringstream ostr;
ostr << "object-group " << getObjectGroupClass() << " " << this->getName();
ostr << endl;
return ostr.str();
}
/*
* We support CustomService objects in ASA8 object groups. If this group
* has custom service object, get protocol from it. Rule processors should
* ensure that there is only one custom service object in the group
*/
string ASA8ObjectGroup::getSrvTypeName()
{
FWObject *obj = FWReference::getObject(this->front());
if (isServiceGroup() && CustomService::isA(obj))
{
return CustomService::cast(obj)->getProtocol();
} else
return PIXObjectGroup::getSrvTypeName();
}

8
src/cisco_lib/ASA8ObjectGroup.h
View File

@ -39,9 +39,11 @@ public:
DECLARE_FWOBJECT_SUBTYPE(ASA8ObjectGroup); DECLARE_FWOBJECT_SUBTYPE(ASA8ObjectGroup);
virtual std::string getObjectGroupClass(); virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader(); //virtual std::string getObjectGroupHeader();
virtual std::string getSrvTypeName(); //virtual std::string getSrvTypeName();
virtual std::string toString(NamedObjectManager *named_obj_manager)
virtual std::string groupMemberToString(
libfwbuilder::FWObject *obj, NamedObjectManager *named_obj_manager)
throw(libfwbuilder::FWException); throw(libfwbuilder::FWException);
}; };

113
src/cisco_lib/BaseObjectGroup.cpp
View File

@ -26,6 +26,7 @@
#include "config.h" #include "config.h"
#include "BaseObjectGroup.h" #include "BaseObjectGroup.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "fwbuilder/Address.h" #include "fwbuilder/Address.h"
#include "fwbuilder/Network.h" #include "fwbuilder/Network.h"
@ -35,23 +36,27 @@
#include "fwbuilder/UDPService.h" #include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h" #include "fwbuilder/CustomService.h"
#include <iostream>
#include <sstream> #include <sstream>
#include <QStringList>
using namespace libfwbuilder; using namespace libfwbuilder;
using namespace fwcompiler; using namespace fwcompiler;
using namespace std; using namespace std;
map<string,int> BaseObjectGroup::name_disambiguation; map<string,int> BaseObjectGroup::name_disambiguation;
const char *BaseObjectGroup::TYPENAME={"BaseObjectGroup"}; const char *BaseObjectGroup::TYPENAME={"BaseObjectGroup"};
string BaseObjectGroup::registerGroupName(const std::string &prefix) string BaseObjectGroup::registerGroupName(const std::string &prefix,
object_group_type gt)
{ {
ostringstream str; ostringstream str;
str << prefix; str << prefix;
switch (getObjectGroupType()) switch (gt)
{ {
case UNKNOWN: str << ".unknown"; break; case UNKNOWN: str << ".unknown"; break;
case NETWORK: str << ".net"; break; case NETWORK: str << ".net"; break;
@ -59,34 +64,88 @@ string BaseObjectGroup::registerGroupName(const std::string &prefix)
case ICMP_TYPE: str << ".icmp"; break; case ICMP_TYPE: str << ".icmp"; break;
case TCP_SERVICE: str << ".tcp"; break; case TCP_SERVICE: str << ".tcp"; break;
case UDP_SERVICE: str << ".udp"; break; case UDP_SERVICE: str << ".udp"; break;
case TCP_UDP_SERVICE: str << ".tcpudp"; break;
case MIXED_SERVICE: str << ".mixed"; break; case MIXED_SERVICE: str << ".mixed"; break;
} }
int n = name_disambiguation[str.str()]; int n = name_disambiguation[str.str()];
name_disambiguation[str.str()]=n+1; name_disambiguation[str.str()] = n + 1;
str << "." << n; str << "." << n;
return str.str(); return str.str();
} }
BaseObjectGroup::object_group_type BaseObjectGroup::getObjectGroupTypeFromFWObject(FWObject *obj) BaseObjectGroup::object_group_type BaseObjectGroup::getObjectGroupTypeFromFWObject(
const FWObject *obj)
{ {
if (Address::cast(obj)!=NULL) return NETWORK; if (Address::constcast(obj)!=NULL) return NETWORK;
if (IPService::cast(obj)!=NULL) return PROTO; if (IPService::constcast(obj)!=NULL) return PROTO;
if (ICMPService::cast(obj)!=NULL) return ICMP_TYPE; if (ICMPService::constcast(obj)!=NULL) return ICMP_TYPE;
if (TCPService::cast(obj)!=NULL) return TCP_SERVICE; if (TCPService::constcast(obj)!=NULL) return TCP_SERVICE;
if (UDPService::cast(obj)!=NULL) return UDP_SERVICE; if (UDPService::constcast(obj)!=NULL) return UDP_SERVICE;
if (CustomService::cast(obj)!=NULL) return MIXED_SERVICE;
return UNKNOWN; return UNKNOWN;
} }
void BaseObjectGroup::setObjectGroupTypeFromFWObject(FWObject *obj) void BaseObjectGroup::setObjectGroupTypeFromFWObject(const FWObject *obj)
{ {
setObjectGroupType(getObjectGroupTypeFromFWObject(obj)); setObjectGroupType(getObjectGroupTypeFromFWObject(obj));
} }
void BaseObjectGroup::setName(const std::string &prefix) void BaseObjectGroup::setObjectGroupTypeFromMembers(
NamedObjectManager *named_object_manager)
{ {
FWObject::setName( registerGroupName(prefix) ); object_group_type my_type = UNKNOWN;
std::map<int, int> type_counters;
for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
{
const FWObject *obj = FWReference::getObject(*i1);
NamedObject *named_object =
named_object_manager->named_objects[obj->getId()];
if (named_object)
obj = named_object->getObject();
object_group_type t = getObjectGroupTypeFromFWObject(obj);
if (type_counters.count(t) == 0) type_counters[t] = 1;
else type_counters[t]++;
}
if (type_counters[NETWORK]!=0 &&
(type_counters[PROTO]!=0 ||
type_counters[ICMP_TYPE]!=0 ||
type_counters[TCP_SERVICE]!=0 ||
type_counters[UDP_SERVICE]!=0 ||
type_counters[MIXED_SERVICE]!=0))
throw FWException("Object group should not contain both "
"network and service objects");
if (type_counters[NETWORK]!=0) my_type = NETWORK;
if (type_counters[PROTO]==0 &&
type_counters[ICMP_TYPE]==0 &&
(type_counters[TCP_SERVICE]!=0 ||
type_counters[UDP_SERVICE]!=0) &&
type_counters[MIXED_SERVICE]==0)
{
if (type_counters[TCP_SERVICE]!=0 && type_counters[UDP_SERVICE]!=0)
my_type = TCP_UDP_SERVICE;
if (type_counters[TCP_SERVICE]!=0 && type_counters[UDP_SERVICE]==0)
my_type = TCP_SERVICE;
if (type_counters[TCP_SERVICE]==0 && type_counters[UDP_SERVICE]!=0)
my_type = UDP_SERVICE;
}
if (type_counters[PROTO]!=0 &&
type_counters[ICMP_TYPE]==0 &&
type_counters[MIXED_SERVICE]==0) my_type = PROTO;
if (type_counters[PROTO]==0 &&
type_counters[ICMP_TYPE]!=0 &&
type_counters[MIXED_SERVICE]==0) my_type = ICMP_TYPE;
if (my_type==UNKNOWN) my_type = MIXED_SERVICE;
setObjectGroupType(my_type);
} }
bool BaseObjectGroup::isServiceGroup() bool BaseObjectGroup::isServiceGroup()
@ -97,6 +156,7 @@ bool BaseObjectGroup::isServiceGroup()
case ICMP_TYPE: return true; case ICMP_TYPE: return true;
case TCP_SERVICE: return true; case TCP_SERVICE: return true;
case UDP_SERVICE: return true; case UDP_SERVICE: return true;
case TCP_UDP_SERVICE: return true;
case MIXED_SERVICE: return true; case MIXED_SERVICE: return true;
default: return false; default: return false;
} }
@ -121,6 +181,7 @@ string BaseObjectGroup::getSrvTypeName()
case ICMP_TYPE: return "icmp"; case ICMP_TYPE: return "icmp";
case TCP_SERVICE: return "tcp"; case TCP_SERVICE: return "tcp";
case UDP_SERVICE: return "udp"; case UDP_SERVICE: return "udp";
case TCP_UDP_SERVICE: return "tcp-udp";
default: break; default: break;
} }
return ""; return "";
@ -134,19 +195,41 @@ string BaseObjectGroup::getObjectGroupClass()
case ICMP_TYPE: case ICMP_TYPE:
case TCP_SERVICE: case TCP_SERVICE:
case UDP_SERVICE: case UDP_SERVICE:
case TCP_UDP_SERVICE:
case MIXED_SERVICE: return "service"; case MIXED_SERVICE: return "service";
default: return "network"; default: return "network";
} }
return ""; return "";
} }
string BaseObjectGroup::toString(NamedObjectManager*) throw(FWException) string BaseObjectGroup::groupMemberToString(FWObject*, NamedObjectManager*)
throw(libfwbuilder::FWException)
{ {
return ""; return "";
} }
string BaseObjectGroup::toString(NamedObjectManager *nm) throw(FWException)
{
QStringList res;
if (this->size()==0) return "";
res << getObjectGroupHeader().c_str();
for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
{
res << QString(" %1").arg(
groupMemberToString(FWReference::getObject(*i1), nm).c_str());
}
res << getObjectGroupFooter().c_str();
res << "";
return res.join("\n").toStdString();
}
string BaseObjectGroup::getObjectGroupHeader() string BaseObjectGroup::getObjectGroupHeader()
{ {
return ""; return "";
} }
string BaseObjectGroup::getObjectGroupFooter()
{
return "";
}

22
src/cisco_lib/BaseObjectGroup.h
View File

@ -46,18 +46,19 @@ public:
ICMP_TYPE, ICMP_TYPE,
TCP_SERVICE, TCP_SERVICE,
UDP_SERVICE, UDP_SERVICE,
TCP_UDP_SERVICE,
MIXED_SERVICE } object_group_type; MIXED_SERVICE } object_group_type;
private: private:
object_group_type gt; object_group_type gt;
protected:
std::string registerGroupName(const std::string &prefix);
public: public:
static std::map<std::string,int> name_disambiguation; static std::map<std::string,int> name_disambiguation;
static std::string registerGroupName(const std::string &prefix,
object_group_type gt);
BaseObjectGroup(object_group_type _gt=UNKNOWN) : libfwbuilder::Group() BaseObjectGroup(object_group_type _gt=UNKNOWN) : libfwbuilder::Group()
{ {
gt=_gt; gt=_gt;
@ -71,11 +72,10 @@ public:
void setObjectGroupType(object_group_type _gt) { gt=_gt; } void setObjectGroupType(object_group_type _gt) { gt=_gt; }
object_group_type getObjectGroupType() { return gt; } object_group_type getObjectGroupType() { return gt; }
object_group_type getObjectGroupTypeFromFWObject(libfwbuilder::FWObject *o); void setObjectGroupTypeFromMembers(NamedObjectManager *named_obj_manager);
object_group_type getObjectGroupTypeFromFWObject(
void setObjectGroupTypeFromFWObject(libfwbuilder::FWObject *obj); const libfwbuilder::FWObject *o);
void setObjectGroupTypeFromFWObject(const libfwbuilder::FWObject *obj);
virtual void setName(const std::string &prefix);
bool isServiceGroup(); bool isServiceGroup();
bool isObjectGroup(); bool isObjectGroup();
@ -83,6 +83,12 @@ public:
virtual std::string getObjectGroupClass(); virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader(); virtual std::string getObjectGroupHeader();
virtual std::string getObjectGroupFooter();
virtual std::string groupMemberToString(
libfwbuilder::FWObject *obj, NamedObjectManager *named_obj_manager)
throw(libfwbuilder::FWException);
virtual std::string toString(NamedObjectManager *named_obj_manager) virtual std::string toString(NamedObjectManager *named_obj_manager)
throw(libfwbuilder::FWException); throw(libfwbuilder::FWException);
}; };

26
src/cisco_lib/IOSObjectGroup.cpp
View File

@ -45,22 +45,12 @@ using namespace std;
const char *IOSObjectGroup::TYPENAME={"IOSObjectGroup"}; const char *IOSObjectGroup::TYPENAME={"IOSObjectGroup"};
string IOSObjectGroup::toString(NamedObjectManager*) throw(FWException) string IOSObjectGroup::groupMemberToString(FWObject *obj,
NamedObjectManager*)
throw(libfwbuilder::FWException)
{ {
ostringstream ostr; ostringstream ostr;
if (this->size()==0) return "";
ostr << getObjectGroupHeader();
for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
ostr << " ";
switch (getObjectGroupType()) switch (getObjectGroupType())
{ {
case NETWORK: case NETWORK:
@ -130,10 +120,6 @@ string IOSObjectGroup::toString(NamedObjectManager*) throw(FWException)
default: default:
throw FWException("Unknown object group type"); throw FWException("Unknown object group type");
} }
ostr << endl;
}
ostr << "exit" << endl << endl;
return ostr.str(); return ostr.str();
} }
@ -154,7 +140,11 @@ string IOSObjectGroup::getObjectGroupHeader()
{ {
ostringstream ostr; ostringstream ostr;
ostr << "object-group " << getObjectGroupClass() << " " << this->getName(); ostr << "object-group " << getObjectGroupClass() << " " << this->getName();
ostr << endl;
return ostr.str(); return ostr.str();
} }
string IOSObjectGroup::getObjectGroupFooter()
{
return "exit";
}

5
src/cisco_lib/IOSObjectGroup.h
View File

@ -40,7 +40,10 @@ public:
virtual std::string getObjectGroupClass(); virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader(); virtual std::string getObjectGroupHeader();
virtual std::string toString(NamedObjectManager *named_obj_manager) virtual std::string getObjectGroupFooter();
virtual std::string groupMemberToString(
libfwbuilder::FWObject *obj, NamedObjectManager *named_obj_manager)
throw(libfwbuilder::FWException); throw(libfwbuilder::FWException);
}; };

17
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -323,8 +323,10 @@ void NATCompiler_asa8::compile()
// by inspector VerifyRules // by inspector VerifyRules
add( new ReplaceFirewallObjectsODst("replace fw object in ODst" )); add( new ReplaceFirewallObjectsODst("replace fw object in ODst" ));
add( new ReplaceFirewallObjectsTSrc("replace fw object in TSrc" )); add( new ReplaceFirewallObjectsTSrc("replace fw object in TSrc" ));
add( new UseFirewallInterfaces( add( new UseFirewallInterfaces(
"replace host objects with firewall's interfaces if the have the same address")); "replace host objects with firewall's interfaces if "
"the have the same address"));
// ExpandMultipleAddresses acts on different rule elements // ExpandMultipleAddresses acts on different rule elements
// depending on the rule type. // depending on the rule type.
@ -339,6 +341,7 @@ void NATCompiler_asa8::compile()
add( new splitByNetworkZonesForOSrc("split by netzone for OSrc")); add( new splitByNetworkZonesForOSrc("split by netzone for OSrc"));
//add( new groupServicesByProtocol("group services by protocol in OSrv"));
add( new ConvertToAtomicForOSrv("convert to atomic for OSrv")); add( new ConvertToAtomicForOSrv("convert to atomic for OSrv"));
add( new ConvertToAtomicForTDst("convert to atomic for TDst")); add( new ConvertToAtomicForTDst("convert to atomic for TDst"));
add( new ConvertToAtomicForTSrv("convert to atomic for TSrv")); add( new ConvertToAtomicForTSrv("convert to atomic for TSrv"));
@ -357,13 +360,17 @@ void NATCompiler_asa8::compile()
add( new SpecialServicesOSrv( "check for special services" )); add( new SpecialServicesOSrv( "check for special services" ));
add( new CreateObjectGroupsForOSrc("create object groups for OSrc")); add( new CreateObjectGroupsForOSrc("create object groups for OSrc",
add( new CreateObjectGroupsForODst("create object groups for ODst")); named_objects_manager));
add( new CreateObjectGroupsForOSrv("create object groups for OSrv")); add( new CreateObjectGroupsForODst("create object groups for ODst",
named_objects_manager));
add( new CreateObjectGroupsForOSrv("create object groups for OSrv",
named_objects_manager));
// need special rule processor to create object groups in TSrc // need special rule processor to create object groups in TSrc
// because of a special tratment that an Interface object gets in TSrc // because of a special tratment that an Interface object gets in TSrc
add( new CreateObjectGroupsForTSrc("create object groups for TSrc")); add( new CreateObjectGroupsForTSrc("create object groups for TSrc",
named_objects_manager));
add( new VerifyValidityOfTSrc("verify objects in TSrc")); add( new VerifyValidityOfTSrc("verify objects in TSrc"));

1
src/cisco_lib/NamedObject.h
View File

@ -56,6 +56,7 @@ public:
const libfwbuilder::Firewall *fw); const libfwbuilder::Firewall *fw);
QString getName() { return name; } QString getName() { return name; }
QString getCommandWord(); QString getCommandWord();
const libfwbuilder::FWObject* getObject() { return obj; }
}; };
} }

77
src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
View File

@ -158,58 +158,22 @@ bool CreateObjectGroups::processNext()
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
/*
* If rule element holds just one object, then there is no need to create
* object group. However if this one object is CustomService, then we
* should create the group anyway.
*/
if (re->size()==1) if (re->size()==1)
{
if (XMLTools::version_compare(version, "8.3")>=0)
{
FWObject *obj = FWReference::getObject(re->front());
if (!CustomService::isA(obj))
{ {
tmp_queue.push_back(rule); tmp_queue.push_back(rule);
return true; return true;
} }
} else
{
tmp_queue.push_back(rule);
return true;
}
}
bool supports_mixed_groups =
Resources::platform_res[platform]->getResourceBool(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/supports_mixed_service_groups");
BaseObjectGroup *obj_group = findObjectGroup(re); BaseObjectGroup *obj_group = findObjectGroup(re);
if (obj_group==NULL) if (obj_group==NULL)
{ {
//obj_group= new BaseObjectGroup(); //obj_group= new BaseObjectGroup();
obj_group = ObjectGroupFactory::createObjectGroup(compiler->fw); obj_group = ObjectGroupFactory::createObjectGroup(compiler->fw);
object_groups->add(obj_group);
FWObject *obj = FWReference::getObject(re->front()); packObjects(re, obj_group);
BaseObjectGroup::object_group_type og_type =
obj_group->getObjectGroupTypeFromFWObject(obj);
obj_group->setObjectGroupType(og_type);
if (obj_group->isServiceGroup() && supports_mixed_groups && re->size() > 1) obj_group->setObjectGroupTypeFromMembers(named_objects_manager);
{
// rule element contains >1 object, check if they are of different types
for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
FWObject *obj = FWReference::getObject(*i1);
if (og_type != obj_group->getObjectGroupTypeFromFWObject(obj))
{
obj_group->setObjectGroupType(BaseObjectGroup::MIXED_SERVICE);
break;
}
}
}
QStringList gn; QStringList gn;
if (!rule_iface->getLabel().empty()) if (!rule_iface->getLabel().empty())
@ -218,11 +182,9 @@ bool CreateObjectGroups::processNext()
gn.push_back(rule->getUniqueId().c_str()); gn.push_back(rule->getUniqueId().c_str());
gn.push_back(name_suffix.c_str()); gn.push_back(name_suffix.c_str());
string new_name = gn.join(".").toStdString(); string group_name = BaseObjectGroup::registerGroupName(
obj_group->setName(new_name); gn.join(".").toStdString(), obj_group->getObjectGroupType());
object_groups->add(obj_group); obj_group->setName(group_name);
packObjects(re, obj_group);
} else } else
{ {
@ -322,22 +284,9 @@ void printNamedObjectsCommon::printObjectsForRE(RuleElement *re)
} }
} }
bool printNamedObjectsForPolicy::haveCustomService(FWObject *grp) /*
{ * We do not need object-groups for policy rules.
for (FWObject::iterator it=grp->begin(); it!=grp->end(); ++it) */
{
FWObject *obj = FWReference::getObject(*it);
if (BaseObjectGroup::constcast(obj)!=NULL)
{
if (haveCustomService(obj)) return true;
} else
{
if (CustomService::isA(obj)) return true;
}
}
return false;
}
bool printNamedObjectsForPolicy::processNext() bool printNamedObjectsForPolicy::processNext()
{ {
slurp(); slurp();
@ -350,16 +299,12 @@ bool printNamedObjectsForPolicy::processNext()
PolicyRule *policy_rule = PolicyRule::cast( *k ); PolicyRule *policy_rule = PolicyRule::cast( *k );
if (policy_rule) if (policy_rule)
{ {
// At this time, we only need object groups in policy rules
// when CustomService object is used in Service
// RuleElementSrc *src_re = policy_rule->getSrc(); assert(src_re); // RuleElementSrc *src_re = policy_rule->getSrc(); assert(src_re);
// printObjectsForRE(src_re); // printObjectsForRE(src_re);
// RuleElementDst *dst_re = policy_rule->getDst(); assert(dst_re); // RuleElementDst *dst_re = policy_rule->getDst(); assert(dst_re);
// printObjectsForRE(dst_re); // printObjectsForRE(dst_re);
// RuleElementSrv *srv_re = policy_rule->getSrv(); assert(srv_re);
RuleElementSrv *srv_re = policy_rule->getSrv(); assert(srv_re); // if (haveCustomService(srv_re)) printObjectsForRE(srv_re);
if (haveCustomService(srv_re)) printObjectsForRE(srv_re);
} }
} }

40
src/cisco_lib/NamedObjectsAndGroupsSupport.h
View File

@ -59,6 +59,7 @@ protected:
std::string re_type; std::string re_type;
std::string name_suffix; std::string name_suffix;
NamedObjectManager *named_objects_manager;
BaseObjectGroup* findObjectGroup(libfwbuilder::RuleElement *re); BaseObjectGroup* findObjectGroup(libfwbuilder::RuleElement *re);
@ -72,8 +73,14 @@ public:
CreateObjectGroups(const std::string &name, CreateObjectGroups(const std::string &name,
const std::string &_ns, const std::string &_ns,
const std::string &_type) : const std::string &_type,
BasicRuleProcessor(name) {re_type=_type; name_suffix=_ns; } NamedObjectManager *m) :
BasicRuleProcessor(name)
{
re_type=_type;
name_suffix=_ns;
named_objects_manager = m;
}
virtual ~CreateObjectGroups(); virtual ~CreateObjectGroups();
virtual bool processNext(); virtual bool processNext();
@ -85,22 +92,22 @@ public:
class CreateObjectGroupsForSrc : public CreateObjectGroups class CreateObjectGroupsForSrc : public CreateObjectGroups
{ {
public: public:
CreateObjectGroupsForSrc(const std::string &n) : CreateObjectGroupsForSrc(const std::string &n, NamedObjectManager *m) :
CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME) {} CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME, m) {}
}; };
class CreateObjectGroupsForDst : public CreateObjectGroups class CreateObjectGroupsForDst : public CreateObjectGroups
{ {
public: public:
CreateObjectGroupsForDst(const std::string &n) : CreateObjectGroupsForDst(const std::string &n, NamedObjectManager *m) :
CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME) {} CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME, m) {}
}; };
class CreateObjectGroupsForSrv : public CreateObjectGroups class CreateObjectGroupsForSrv : public CreateObjectGroups
{ {
public: public:
CreateObjectGroupsForSrv(const std::string &n) : CreateObjectGroupsForSrv(const std::string &n, NamedObjectManager *m) :
CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {} CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME, m) {}
}; };
@ -110,22 +117,22 @@ public:
class CreateObjectGroupsForOSrc : public CreateObjectGroups class CreateObjectGroupsForOSrc : public CreateObjectGroups
{ {
public: public:
CreateObjectGroupsForOSrc(const std::string &n) : CreateObjectGroupsForOSrc(const std::string &n, NamedObjectManager *m) :
CreateObjectGroups(n,"osrc",libfwbuilder::RuleElementOSrc::TYPENAME) {} CreateObjectGroups(n,"osrc",libfwbuilder::RuleElementOSrc::TYPENAME, m){}
}; };
class CreateObjectGroupsForODst : public CreateObjectGroups class CreateObjectGroupsForODst : public CreateObjectGroups
{ {
public: public:
CreateObjectGroupsForODst(const std::string &n) : CreateObjectGroupsForODst(const std::string &n, NamedObjectManager *m) :
CreateObjectGroups(n,"odst",libfwbuilder::RuleElementODst::TYPENAME) {} CreateObjectGroups(n,"odst",libfwbuilder::RuleElementODst::TYPENAME, m){}
}; };
class CreateObjectGroupsForOSrv : public CreateObjectGroups class CreateObjectGroupsForOSrv : public CreateObjectGroups
{ {
public: public:
CreateObjectGroupsForOSrv(const std::string &n) : CreateObjectGroupsForOSrv(const std::string &n, NamedObjectManager *m) :
CreateObjectGroups(n,"osrv",libfwbuilder::RuleElementOSrv::TYPENAME) {} CreateObjectGroups(n,"osrv",libfwbuilder::RuleElementOSrv::TYPENAME, m){}
}; };
class CreateObjectGroupsForTSrc : public CreateObjectGroups class CreateObjectGroupsForTSrc : public CreateObjectGroups
@ -136,8 +143,8 @@ protected:
BaseObjectGroup *obj_group); BaseObjectGroup *obj_group);
public: public:
CreateObjectGroupsForTSrc(const std::string &n) : CreateObjectGroupsForTSrc(const std::string &n, NamedObjectManager *m) :
CreateObjectGroups(n,"tsrc",libfwbuilder::RuleElementTSrc::TYPENAME) {} CreateObjectGroups(n,"tsrc",libfwbuilder::RuleElementTSrc::TYPENAME, m){}
}; };
@ -177,7 +184,6 @@ public:
class printNamedObjectsForPolicy : public printNamedObjectsCommon class printNamedObjectsForPolicy : public printNamedObjectsCommon
{ {
bool haveCustomService(libfwbuilder::FWObject *grp);
public: public:
printNamedObjectsForPolicy(const std::string &n, printNamedObjectsForPolicy(const std::string &n,
NamedObjectManager *m) : printNamedObjectsCommon(n, m) {} NamedObjectManager *m) : printNamedObjectsCommon(n, m) {}

2
src/cisco_lib/ObjectGroupFactory.cpp
View File

@ -47,6 +47,8 @@ BaseObjectGroup* ObjectGroupFactory::createObjectGroup(
string platform = fw->getStr("platform"); string platform = fw->getStr("platform");
if (platform == "pix" || platform == "fwsm") if (platform == "pix" || platform == "fwsm")
{ {
//return new PIXObjectGroup(_gt);
if (XMLTools::version_compare(version, "8.0")<0) if (XMLTools::version_compare(version, "8.0")<0)
return new PIXObjectGroup(_gt); return new PIXObjectGroup(_gt);
else else

59
src/cisco_lib/PIXObjectGroup.cpp
View File

@ -43,67 +43,57 @@ using namespace std;
const char *PIXObjectGroup::TYPENAME={"PIXObjectGroup"}; const char *PIXObjectGroup::TYPENAME={"PIXObjectGroup"};
string PIXObjectGroup::toString(NamedObjectManager*) throw(FWException)
string PIXObjectGroup::groupMemberToString(FWObject *obj,
NamedObjectManager*)
throw(libfwbuilder::FWException)
{ {
ostringstream ostr; ostringstream ostr;
if (this->size()==0) return "";
ostr << getObjectGroupHeader();
for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
if (this->getObjectGroupType() == NETWORK) if (this->getObjectGroupType() == NETWORK)
{ {
Address *a = Address::cast(obj); Address *a = Address::cast(obj);
assert(a!=NULL); assert(a!=NULL);
const InetAddr *addr = a->getAddressPtr(); const InetAddr *addr = a->getAddressPtr();
ostr << " network-object "; ostr << "network-object ";
if (Network::cast(obj)!=NULL) if (Network::cast(obj)!=NULL)
{ {
const InetAddr *mask = a->getNetmaskPtr(); const InetAddr *mask = a->getNetmaskPtr();
ostr << addr->toString() << " "; ostr << addr->toString() << " ";
ostr << mask->toString() << " "; ostr << mask->toString() << " ";
} else { } else {
ostr << " host "; ostr << "host ";
ostr << addr->toString() << " "; ostr << addr->toString() << " ";
} }
ostr << endl; return ostr.str();
continue;
} else } else
{ {
if (IPService::isA(obj)) if (IPService::isA(obj))
{ {
ostr << " protocol-object "; ostr << "protocol-object ";
Service *s=Service::cast(obj); Service *s=Service::cast(obj);
assert(s!=NULL); assert(s!=NULL);
ostr << s->getProtocolName(); ostr << s->getProtocolName();
ostr << endl; return ostr.str();
continue;
} }
if (ICMPService::isA(obj)) if (ICMPService::isA(obj))
{ {
ostr << " icmp-object "; ostr << "icmp-object ";
ICMPService *s=ICMPService::cast(obj); ICMPService *s=ICMPService::cast(obj);
assert(s!=NULL); assert(s!=NULL);
if ( s->getInt("type")== -1) if ( s->getInt("type")== -1)
ostr << "any"; ostr << "any";
else else
ostr << s->getInt("type"); ostr << s->getInt("type");
ostr << endl; return ostr.str();
continue;
} }
if (TCPService::isA(obj) || UDPService::isA(obj)) if (TCPService::isA(obj) || UDPService::isA(obj))
{ {
ostr << " port-object "; ostr << "port-object ";
Service *s=Service::cast(obj); Service *s=Service::cast(obj);
assert(s!=NULL); assert(s!=NULL);
@ -118,14 +108,14 @@ string PIXObjectGroup::toString(NamedObjectManager*) throw(FWException)
else ostr << "range " << rs << " " << re; else ostr << "range " << rs << " " << re;
} }
else ostr << "range 0 65535"; else ostr << "range 0 65535";
ostr << endl; return ostr.str();
continue;
} }
throw FWException("PIXObjectGroup: Unknown object group type"); QString err("PIXObjectGroup: Unsupported object '%1' found in "
"object group");
throw FWException(err.arg(obj->getName().c_str()).toStdString());
} }
}
ostr << " exit" << endl << endl;
return ostr.str(); return ostr.str();
} }
@ -138,8 +128,14 @@ string PIXObjectGroup::getObjectGroupClass()
case ICMP_TYPE: return "icmp-type"; case ICMP_TYPE: return "icmp-type";
case TCP_SERVICE: return "service"; case TCP_SERVICE: return "service";
case UDP_SERVICE: return "service"; case UDP_SERVICE: return "service";
case TCP_UDP_SERVICE: return "service";
case MIXED_SERVICE: return "service";;
default: default:
throw FWException("PIXObjectGroup: Unknown object group type"); {
QString err("PIXObjectGroup::getObjectGroupClass(): Unknown object "
"group type '%1'");
throw FWException(err.arg(this->getObjectGroupType()).toStdString());
}
} }
} }
@ -151,9 +147,14 @@ string PIXObjectGroup::getObjectGroupHeader()
{ {
case TCP_SERVICE: ostr << " tcp"; break; case TCP_SERVICE: ostr << " tcp"; break;
case UDP_SERVICE: ostr << " udp"; break; case UDP_SERVICE: ostr << " udp"; break;
case TCP_UDP_SERVICE: ostr << " tcp-udp"; break;
default: break; default: break;
} }
ostr << endl;
return ostr.str(); return ostr.str();
} }
string PIXObjectGroup::getObjectGroupFooter()
{
return "exit";
}

6
src/cisco_lib/PIXObjectGroup.h
View File

@ -39,9 +39,11 @@ public:
virtual std::string getObjectGroupClass(); virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader(); virtual std::string getObjectGroupHeader();
virtual std::string toString(NamedObjectManager *named_obj_manager) virtual std::string getObjectGroupFooter();
throw(libfwbuilder::FWException);
virtual std::string groupMemberToString(
libfwbuilder::FWObject *obj, NamedObjectManager *named_obj_manager)
throw(libfwbuilder::FWException);
}; };
} }

9
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -458,9 +458,12 @@ void PolicyCompiler_iosacl::compile()
add( new splitTCPServiceWithFlags( add( new splitTCPServiceWithFlags(
"separate TCP service with tcp flags")); "separate TCP service with tcp flags"));
add( new CreateObjectGroupsForSrc("create object groups for Src")); add( new CreateObjectGroupsForSrc("create object groups for Src",
add( new CreateObjectGroupsForDst("create object groups for Dst")); named_objects_manager));
add( new CreateObjectGroupsForSrv("create object groups for Srv")); add( new CreateObjectGroupsForDst("create object groups for Dst",
named_objects_manager));
add( new CreateObjectGroupsForSrv("create object groups for Srv",
named_objects_manager));
} else } else
{ {
add( new ConvertToAtomic ("convert to atomic rules" ) ); add( new ConvertToAtomic ("convert to atomic rules" ) );

36
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -515,7 +515,6 @@ void PolicyCompiler_pix::compile()
if ( fwopt->getBool("pix_assume_fw_part_of_any")) if ( fwopt->getBool("pix_assume_fw_part_of_any"))
{ {
// add( new splitIfSrcAny( "split rule if src is any" ));
// Note that this splits the rule if Dst==any and one or more // Note that this splits the rule if Dst==any and one or more
// icmp services are found in Srv. The name of this rule // icmp services are found in Srv. The name of this rule
// processor needs to be more descriptive. // processor needs to be more descriptive.
@ -525,12 +524,6 @@ void PolicyCompiler_pix::compile()
add( new splitIfSrcMatchesFw ("split rule if Src matches FW" )); add( new splitIfSrcMatchesFw ("split rule if Src matches FW" ));
add( new splitIfDstMatchesFw ("split rule if Dst matches FW" )); add( new splitIfDstMatchesFw ("split rule if Dst matches FW" ));
// if ( !outbound_acl_supported )
// add( new fillDirection_v6 ("determine directions" ));
// if ( fwopt->getBool("pix_replace_natted_objects"))
// add( new replaceTranslatedAddresses ("replace objects in DST that are TDst in DNAT translations" ));
add( new telnetToFirewall( add( new telnetToFirewall(
"separate rules controlling telnet to firewall")); "separate rules controlling telnet to firewall"));
add( new sshToFirewall("separate rules controlling ssh to firewall" )); add( new sshToFirewall("separate rules controlling ssh to firewall" ));
@ -538,12 +531,12 @@ void PolicyCompiler_pix::compile()
add( new separateSrcPort("split rules matching source ports")); add( new separateSrcPort("split rules matching source ports"));
add( new separateCustom("split rules matching custom services")); add( new separateCustom("split rules matching custom services"));
if (XMLTools::version_compare(vers, "8.0")<0) // if (XMLTools::version_compare(vers, "8.0")<0)
{
add( new groupServicesByProtocol("split rules with different protocols")); add( new groupServicesByProtocol("split rules with different protocols"));
} // else
//else // add( new groupTCPUDPServices(
// add( new groupTCPUDP("split rules with TCP or UDP services")); // "split rules to keep TCP and UDP services separate "
// "from other protocols"));
add( new PrepareForICMPCmd("prepare for icmp command" )); add( new PrepareForICMPCmd("prepare for icmp command" ));
@ -636,9 +629,12 @@ void PolicyCompiler_pix::compile()
"check if we have objects with errors in rule elements")); "check if we have objects with errors in rule elements"));
// add( new AvoidObjectGroup("avoid object groups for certain cases")); // add( new AvoidObjectGroup("avoid object groups for certain cases"));
add( new CreateObjectGroupsForSrc("create object groups for Src")); add( new CreateObjectGroupsForSrc("create object groups for Src",
add( new CreateObjectGroupsForDst("create object groups for Dst")); named_objects_manager));
add( new CreateObjectGroupsForSrv("create object groups for Srv")); add( new CreateObjectGroupsForDst("create object groups for Dst",
named_objects_manager));
add( new CreateObjectGroupsForSrv("create object groups for Srv",
named_objects_manager));
add( new simplePrintProgress()); add( new simplePrintProgress());
@ -646,11 +642,11 @@ void PolicyCompiler_pix::compile()
add( new printClearCommands("Clear ACLs and object groups")); add( new printClearCommands("Clear ACLs and object groups"));
if (XMLTools::version_compare(vers, "8.3")>=0) //if (XMLTools::version_compare(vers, "8.3")>=0)
{ //{
add( new printNamedObjectsForPolicy( // add( new printNamedObjectsForPolicy(
"definitions of named objects", named_objects_manager)); // "definitions of named objects", named_objects_manager));
} //}
add( new printObjectGroups( add( new printObjectGroups(
"generate code for object groups", named_objects_manager)); "generate code for object groups", named_objects_manager));

4
src/cisco_lib/PolicyCompiler_pix_writers.cpp
View File

@ -534,12 +534,14 @@ bool PolicyCompiler_pix::PrintRule::processNext()
PIXObjectGroup *pgsrv = PIXObjectGroup::cast(srvobj); PIXObjectGroup *pgsrv = PIXObjectGroup::cast(srvobj);
PIXObjectGroup *pgsrc = PIXObjectGroup::cast(srcobj); PIXObjectGroup *pgsrc = PIXObjectGroup::cast(srcobj);
PIXObjectGroup *pgdst = PIXObjectGroup::cast(dstobj); PIXObjectGroup *pgdst = PIXObjectGroup::cast(dstobj);
Service *srv_s = Service::cast(srvobj);
assert(pgsrv!=NULL || srv_s!=NULL);
if ( pgsrv!=NULL && pgsrv->isServiceGroup()) if ( pgsrv!=NULL && pgsrv->isServiceGroup())
{ {
aclstr << pgsrv->getSrvTypeName(); aclstr << pgsrv->getSrvTypeName();
} else } else
aclstr << Service::cast(srvobj)->getProtocolName(); aclstr << srv_s->getProtocolName();
aclstr << " "; aclstr << " ";

5
src/cisco_lib/specialServices.cpp
View File

@ -78,12 +78,11 @@ bool SpecialServices::processNext()
} }
} }
if (CustomService::cast(s)!=NULL && if (CustomService::cast(s)!=NULL)
XMLTools::version_compare(version, "8.3")<0)
{ {
compiler->abort( compiler->abort(
rule, rule,
"CustomService objects are only supported for ASA 8.3 and later"); "CustomService objects are not supported");
return true; return true;
} }

13
src/libfwbuilder/src/fwcompiler/Compiler.h
View File

@ -538,6 +538,19 @@ protected:
groupServicesByProtocol(const std::string &name) : groupServices(name){} groupServicesByProtocol(const std::string &name) : groupServices(name){}
}; };
/**
* split rules with more than one service object, so that all
* tcp and udp services are in one rule and all other
* protocols are in the other
*/
class groupTCPUDPServices: public groupServices
{
protected:
virtual int groupingCode(const libfwbuilder::Service *srv);
public:
groupTCPUDPServices(const std::string &name) : groupServices(name){}
};
/** /**
* separate service object that satisfies condition * separate service object that satisfies condition
* implemented in the virtual method "condition" so we have * implemented in the virtual method "condition" so we have

5
src/libfwbuilder/src/fwcompiler/ServiceRuleProcessors.cpp
View File

@ -105,6 +105,11 @@ int Compiler::groupServicesByProtocol::groupingCode(const Service *srv)
return srv->getProtocolNumber(); return srv->getProtocolNumber();
} }
int Compiler::groupTCPUDPServices::groupingCode(const Service *srv)
{
return ( TCPService::isA(srv) || UDPService::isA(srv));
}
Compiler::separateServiceObject::separateServiceObject( Compiler::separateServiceObject::separateServiceObject(
const string &name) : BasicRuleProcessor(name) const string &name) : BasicRuleProcessor(name)
{ {

17
test/pix/Makefile Normal file
View File

@ -0,0 +1,17 @@
FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort)
CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort)
$(FW_OBJECTS):
fwb_pix -f objects-for-regression-tests.fwb -xt $@
$(CL_OBJECTS):
fwb_pix -f cluster-tests.fwb -xt -xc $@
.PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS)
all: firewalls clusters
firewalls: $(FW_OBJECTS)
clusters: $(CL_OBJECTS)

53
test/pix/objects-for-regression-tests.fwb
View File

@ -1381,7 +1381,7 @@
<CustomServiceCommand platform="ipfw"></CustomServiceCommand> <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand> <CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand> <CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix">resetinbound interface outside</CustomServiceCommand> <CustomServiceCommand platform="pix">tcp destination neq 8080</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl"></CustomServiceCommand> <CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand> <CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService> </CustomService>
@ -17022,7 +17022,7 @@ no sysopt nodnsalias outbound
</Option> </Option>
</FirewallOptions> </FirewallOptions>
</Firewall> </Firewall>
<Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295315133" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False"> <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295404811" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
<NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id70310X19497" disabled="False" position="0" action="Translate" comment=""> <NATRule id="id70310X19497" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False"> <OSrc neg="False">
@ -17475,7 +17475,7 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option> <Option name="xlate_ss">0</Option>
</FirewallOptions> </FirewallOptions>
</Firewall> </Firewall>
<Firewall id="id86621X27607" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295315133" platform="pix" version="8.3" name="firewall81" comment="test for the warning issued when translated address is used in&#10;policy rule&#10;" ro="False"> <Firewall id="id86621X27607" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295404811" platform="pix" version="8.3" name="firewall81" comment="test for the warning issued when translated address is used in&#10;policy rule&#10;" ro="False">
<NAT id="id86771X27607" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <NAT id="id86771X27607" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id138353X27607" disabled="False" position="0" action="Translate" comment=""> <NATRule id="id138353X27607" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False"> <OSrc neg="False">
@ -18430,7 +18430,7 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option> <Option name="xlate_ss">0</Option>
</FirewallOptions> </FirewallOptions>
</Firewall> </Firewall>
<Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295315390" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False"> <Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295404811" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
<NAT id="id19920X26146" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <NAT id="id19920X26146" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id19921X26146" disabled="False" position="0" action="Translate" comment=""> <NATRule id="id19921X26146" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False"> <OSrc neg="False">
@ -19093,7 +19093,50 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option> <Option name="stateless">True</Option>
</PolicyRuleOptions> </PolicyRuleOptions>
</PolicyRule> </PolicyRule>
<PolicyRule id="id19907X26146" disabled="False" log="False" position="1" action="Deny" direction="Both" comment=""> <PolicyRule id="id119026X32145" disabled="False" group="" log="False" position="1" action="Deny" direction="Both" comment="for #1942&#10;using custom service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id21571X21575"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id118979X32145" disabled="False" group="" log="False" position="2" action="Deny" direction="Both" comment="for #1942&#10;using custom service">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id21571X21575"/>
<ServiceRef ref="id3B5009F7"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id19907X26146" disabled="False" log="False" position="3" action="Deny" direction="Both" comment="">
<Src neg="False"> <Src neg="False">
<ObjectRef ref="sysid0"/> <ObjectRef ref="sysid0"/>
</Src> </Src>