see #1942, #1943 fixed generation of the

"object-group" statements by adding protocol keyword at the end so
that the group can be used in access-list commands.

.gitignore

@@ -23,7 +23,7 @@ core
 build_num
 test/ipt/secuwall-1
 Makefile
-!test/ipt/Makefile
+!test/*/Makefile
 install*
 ltmain.sh
 configure

doc/ChangeLog

@@ -1,3 +1,13 @@
+2011-01-18  Vadim Kurland  <vadim@netcitadel.com>
+
+	* PIXObjectGroup.cpp: see #1942, #1943 fixed generation of the
+	"object-group" statements by adding protocol keyword at the end so
+	that the group can be used in access-list commands. It looks like
+	mixed service groups that have no protocol keyword at the end of
+	the line that defines them cause error "specified object group
+	<foo> has wrong type; expecting service type". I am going to avoid
+	using mixed service groups because of this.
+
 2011-01-17  vadim  <vadim@netcitadel.com>
 
 	* ASA8TwiceNatLogic.cpp (getAutomaticType): fixes #1916 "nat rule

src/cisco_lib/ASA8ObjectGroup.cpp

@@ -46,106 +46,21 @@ using namespace fwcompiler;
 
 const char *ASA8ObjectGroup::TYPENAME={"ASA8ObjectGroup"};
 
-string ASA8ObjectGroup::toString(NamedObjectManager *named_object_manager)
-    throw(FWException)
+
+string ASA8ObjectGroup::groupMemberToString(
+    FWObject *obj, NamedObjectManager *named_object_manager)
+    throw(libfwbuilder::FWException)
 {
-    ostringstream ostr;
-
-    if (this->size()==0) return "";
-
-    ostr << getObjectGroupHeader();
-
-    for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
-    {
-        FWObject *o   = *i1;
-        FWObject *obj = o;
-        if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
-
     NamedObject *named_object =
         named_object_manager->named_objects[obj->getId()];
 
     if (named_object)
     {
-            ostr << " "
-                 << named_object->getCommandWhenObjectGroupMember(
+        return named_object->getCommandWhenObjectGroupMember(
             named_object_manager->fw).toStdString();
-            ostr << endl;
-            continue;
     }
         
-        if (this->getObjectGroupType() == NETWORK)
-        {
-            Address *a = Address::cast(obj);
-            assert(a!=NULL);
-            const InetAddr *addr = a->getAddressPtr();
-            ostr << " network-object ";
-            if (Network::cast(obj)!=NULL)
-            {
-                const InetAddr *mask = a->getNetmaskPtr();
-                ostr << addr->toString() << " ";
-                ostr << mask->toString() << " ";
-            } else {
-                ostr << " host ";
-                ostr << addr->toString() << " ";
-            }
-            ostr << endl;
-            continue;
-
-        } else
-        {
-
-            if (IPService::isA(obj))
-            {
-                ostr << " service-object ";
-                Service *s = Service::cast(obj);
-                assert(s!=NULL);
-                ostr << s->getProtocolName();
-                ostr << endl;
-                continue;
-            }
-
-            if (ICMPService::isA(obj))
-            {
-                ostr << " service-object icmp ";
-                ICMPService *s = ICMPService::cast(obj);
-                assert(s!=NULL);
-                if ( s->getInt("type")== -1)
-                    ostr << "";  // no keyword "any" anymore
-                else
-                    ostr << s->getInt("type");
-                ostr << endl;
-                continue;
-            }
-
-            if (TCPService::isA(obj) || UDPService::isA(obj))
-            {
-                ostr << " service-object ";
-                ostr << ((TCPService::isA(obj))? "tcp " : "udp ");
-
-                Service *s = Service::cast(obj);
-                assert(s!=NULL);
-
-                int rs = TCPUDPService::cast(s)->getDstRangeStart();
-                int re = TCPUDPService::cast(s)->getDstRangeEnd();
-
-                if (rs<0) rs = 0;
-                if (re<0) re = 0;
-
-                if (rs>0 || re>0) {
-                    if (rs==re)  ostr << "eq " << rs;
-                    else         ostr << "range " << rs << " " << re;
-                }
-                else ostr << "range 0 65535";
-                ostr << endl;
-                continue;
-            }
-
-            QString err("ASA8ObjectGroup: Unsupported object '%1' found in object group");
-            throw FWException(err.arg(obj->getName().c_str()).toStdString());
-        }
-    }
-    ostr << " exit" << endl << endl;
-    return ostr.str();
+    return PIXObjectGroup::groupMemberToString(obj, named_object_manager);
 }
 
 string ASA8ObjectGroup::getObjectGroupClass()
@@ -157,28 +72,3 @@ string ASA8ObjectGroup::getObjectGroupClass()
     }
 }
 
-string ASA8ObjectGroup::getObjectGroupHeader()
-{
-    ostringstream ostr;
-    ostr << "object-group " << getObjectGroupClass() << " " << this->getName();
-    ostr << endl;
-    return ostr.str();
-}
-
-/*
- * We support CustomService objects in ASA8 object groups. If this group
- * has custom service object, get protocol from it. Rule processors should
- * ensure that there is only one custom service object in the group
- */
-string ASA8ObjectGroup::getSrvTypeName()
-{
-    FWObject *obj = FWReference::getObject(this->front());
-
-    if (isServiceGroup() && CustomService::isA(obj))
-    {
-        return CustomService::cast(obj)->getProtocol();
-    } else
-        return PIXObjectGroup::getSrvTypeName();
-}
-
-

src/cisco_lib/ASA8ObjectGroup.h

@@ -39,9 +39,11 @@ public:
         DECLARE_FWOBJECT_SUBTYPE(ASA8ObjectGroup);
 
         virtual std::string getObjectGroupClass();
-        virtual std::string getObjectGroupHeader();
-        virtual std::string getSrvTypeName();
-        virtual std::string toString(NamedObjectManager *named_obj_manager)
+        //virtual std::string getObjectGroupHeader();
+        //virtual std::string getSrvTypeName();
+
+        virtual std::string groupMemberToString(
+            libfwbuilder::FWObject *obj, NamedObjectManager *named_obj_manager)
             throw(libfwbuilder::FWException);
 
     };

src/cisco_lib/BaseObjectGroup.cpp

@@ -26,6 +26,7 @@
 #include "config.h"
 
 #include "BaseObjectGroup.h"
+#include "NamedObjectsAndGroupsSupport.h"
 
 #include "fwbuilder/Address.h"
 #include "fwbuilder/Network.h"
@@ -35,23 +36,27 @@
 #include "fwbuilder/UDPService.h"
 #include "fwbuilder/CustomService.h"
 
-#include <iostream>
 #include <sstream>
 
+#include <QStringList>
+
+
 using namespace libfwbuilder;
 using namespace fwcompiler;
 using namespace std;
 
+
 map<string,int>  BaseObjectGroup::name_disambiguation;
 
 const char *BaseObjectGroup::TYPENAME={"BaseObjectGroup"};
 
-string BaseObjectGroup::registerGroupName(const std::string &prefix)
+string BaseObjectGroup::registerGroupName(const std::string &prefix,
+                                          object_group_type gt)
 {
     ostringstream  str;
     str << prefix;
 
-    switch (getObjectGroupType())
+    switch (gt)
     {
     case UNKNOWN:         str << ".unknown"; break;
     case NETWORK:         str << ".net";     break;
@@ -59,34 +64,88 @@ string BaseObjectGroup::registerGroupName(const std::string &prefix)
     case ICMP_TYPE:       str << ".icmp";    break;
     case TCP_SERVICE:     str << ".tcp";     break;
     case UDP_SERVICE:     str << ".udp";     break;
+    case TCP_UDP_SERVICE: str << ".tcpudp";  break;
     case MIXED_SERVICE:   str << ".mixed";   break;
     }
 
     int n = name_disambiguation[str.str()];
-    name_disambiguation[str.str()]=n+1;
+    name_disambiguation[str.str()] = n + 1;
     str << "." << n;
     return str.str();
 }
 
-BaseObjectGroup::object_group_type BaseObjectGroup::getObjectGroupTypeFromFWObject(FWObject *obj)
+BaseObjectGroup::object_group_type BaseObjectGroup::getObjectGroupTypeFromFWObject(
+    const FWObject *obj)
 {
-    if (Address::cast(obj)!=NULL)     return NETWORK;
-    if (IPService::cast(obj)!=NULL)   return PROTO;
-    if (ICMPService::cast(obj)!=NULL) return ICMP_TYPE;
-    if (TCPService::cast(obj)!=NULL)  return TCP_SERVICE;
-    if (UDPService::cast(obj)!=NULL)  return UDP_SERVICE;
-    if (CustomService::cast(obj)!=NULL)  return MIXED_SERVICE;
+    if (Address::constcast(obj)!=NULL)     return NETWORK;
+    if (IPService::constcast(obj)!=NULL)   return PROTO;
+    if (ICMPService::constcast(obj)!=NULL) return ICMP_TYPE;
+    if (TCPService::constcast(obj)!=NULL)  return TCP_SERVICE;
+    if (UDPService::constcast(obj)!=NULL)  return UDP_SERVICE;
     return UNKNOWN;
 }
 
-void BaseObjectGroup::setObjectGroupTypeFromFWObject(FWObject *obj)
+void BaseObjectGroup::setObjectGroupTypeFromFWObject(const FWObject *obj)
 {
     setObjectGroupType(getObjectGroupTypeFromFWObject(obj));
 }
 
-void BaseObjectGroup::setName(const std::string &prefix)
+void BaseObjectGroup::setObjectGroupTypeFromMembers(
+    NamedObjectManager *named_object_manager)
 {
-    FWObject::setName( registerGroupName(prefix) );
+    object_group_type my_type = UNKNOWN;
+    std::map<int, int> type_counters;
+    for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
+    {
+        const FWObject *obj = FWReference::getObject(*i1);
+
+        NamedObject *named_object =
+            named_object_manager->named_objects[obj->getId()];
+
+        if (named_object)
+            obj = named_object->getObject();
+
+        object_group_type t = getObjectGroupTypeFromFWObject(obj);
+        if (type_counters.count(t) == 0) type_counters[t] = 1;
+        else type_counters[t]++;
+    }
+
+    if (type_counters[NETWORK]!=0 &&
+        (type_counters[PROTO]!=0 ||
+         type_counters[ICMP_TYPE]!=0 ||
+         type_counters[TCP_SERVICE]!=0 ||
+         type_counters[UDP_SERVICE]!=0 ||
+         type_counters[MIXED_SERVICE]!=0))
+        throw FWException("Object group should not contain both "
+                          "network and service objects");
+
+    if (type_counters[NETWORK]!=0) my_type = NETWORK;
+    
+    if (type_counters[PROTO]==0 &&
+        type_counters[ICMP_TYPE]==0 &&
+        (type_counters[TCP_SERVICE]!=0 ||
+         type_counters[UDP_SERVICE]!=0) &&
+        type_counters[MIXED_SERVICE]==0)
+    {
+        if (type_counters[TCP_SERVICE]!=0 && type_counters[UDP_SERVICE]!=0)
+            my_type = TCP_UDP_SERVICE;
+        if (type_counters[TCP_SERVICE]!=0 && type_counters[UDP_SERVICE]==0)
+            my_type = TCP_SERVICE;
+        if (type_counters[TCP_SERVICE]==0 && type_counters[UDP_SERVICE]!=0)
+            my_type = UDP_SERVICE;
+    }
+
+    if (type_counters[PROTO]!=0 &&
+        type_counters[ICMP_TYPE]==0 &&
+        type_counters[MIXED_SERVICE]==0) my_type = PROTO;
+
+    if (type_counters[PROTO]==0 &&
+        type_counters[ICMP_TYPE]!=0 &&
+        type_counters[MIXED_SERVICE]==0) my_type = ICMP_TYPE;
+
+    if (my_type==UNKNOWN) my_type = MIXED_SERVICE;
+
+    setObjectGroupType(my_type);
 }
 
 bool BaseObjectGroup::isServiceGroup()
@@ -97,6 +156,7 @@ bool BaseObjectGroup::isServiceGroup()
     case ICMP_TYPE:       return true;
     case TCP_SERVICE:     return true;
     case UDP_SERVICE:     return true;
+    case TCP_UDP_SERVICE: return true;
     case MIXED_SERVICE:   return true;
     default:              return false;
     }
@@ -121,6 +181,7 @@ string BaseObjectGroup::getSrvTypeName()
     case ICMP_TYPE:    return "icmp";
     case TCP_SERVICE:  return "tcp";
     case UDP_SERVICE:  return "udp";
+    case TCP_UDP_SERVICE:  return "tcp-udp";
     default:           break;
     }
     return "";
@@ -134,19 +195,41 @@ string BaseObjectGroup::getObjectGroupClass()
     case ICMP_TYPE:
     case TCP_SERVICE:
     case UDP_SERVICE:
+    case TCP_UDP_SERVICE:
     case MIXED_SERVICE:  return "service";
     default:             return "network";
     }
     return "";
 }
 
-string BaseObjectGroup::toString(NamedObjectManager*)  throw(FWException)
+string BaseObjectGroup::groupMemberToString(FWObject*, NamedObjectManager*)
+    throw(libfwbuilder::FWException)
 {
     return "";
 }
 
+string BaseObjectGroup::toString(NamedObjectManager *nm)  throw(FWException)
+{
+    QStringList res;
+    if (this->size()==0) return "";
+    res << getObjectGroupHeader().c_str();
+    for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
+    {
+        res << QString("  %1").arg(
+            groupMemberToString(FWReference::getObject(*i1), nm).c_str());
+    }
+    res << getObjectGroupFooter().c_str();
+    res << "";
+    return res.join("\n").toStdString();
+}
+
 string BaseObjectGroup::getObjectGroupHeader()
 {
     return "";
 }
 
+string BaseObjectGroup::getObjectGroupFooter()
+{
+    return "";
+}
+

src/cisco_lib/BaseObjectGroup.h

@@ -46,18 +46,19 @@ public:
                        ICMP_TYPE, 
                        TCP_SERVICE, 
                        UDP_SERVICE,
+                       TCP_UDP_SERVICE,
                        MIXED_SERVICE } object_group_type;
 
 private:
         object_group_type gt;
 
-protected:
-        std::string registerGroupName(const std::string &prefix);
-    
 public:
 
         static std::map<std::string,int> name_disambiguation;
 
+        static std::string registerGroupName(const std::string &prefix,
+                                             object_group_type gt);
+    
         BaseObjectGroup(object_group_type _gt=UNKNOWN) : libfwbuilder::Group()
         {
             gt=_gt;
@@ -71,11 +72,10 @@ public:
         void setObjectGroupType(object_group_type _gt) { gt=_gt; }
         object_group_type getObjectGroupType() { return gt; }
 
-        object_group_type getObjectGroupTypeFromFWObject(libfwbuilder::FWObject *o);
-
-        void setObjectGroupTypeFromFWObject(libfwbuilder::FWObject *obj);
-
-        virtual void setName(const std::string &prefix);
+        void setObjectGroupTypeFromMembers(NamedObjectManager *named_obj_manager);
+        object_group_type getObjectGroupTypeFromFWObject(
+            const libfwbuilder::FWObject *o);
+        void setObjectGroupTypeFromFWObject(const libfwbuilder::FWObject *obj);
 
         bool isServiceGroup();
         bool isObjectGroup();
@@ -83,6 +83,12 @@ public:
     
         virtual std::string getObjectGroupClass();
         virtual std::string getObjectGroupHeader();
+        virtual std::string getObjectGroupFooter();
+
+        virtual std::string groupMemberToString(
+            libfwbuilder::FWObject *obj, NamedObjectManager *named_obj_manager)
+            throw(libfwbuilder::FWException);
+
         virtual std::string toString(NamedObjectManager *named_obj_manager)
             throw(libfwbuilder::FWException);
     };

src/cisco_lib/IOSObjectGroup.cpp

@@ -45,22 +45,12 @@ using namespace std;
 
 const char *IOSObjectGroup::TYPENAME={"IOSObjectGroup"};
 
-string IOSObjectGroup::toString(NamedObjectManager*)  throw(FWException)
+string IOSObjectGroup::groupMemberToString(FWObject *obj,
+                                           NamedObjectManager*)
+    throw(libfwbuilder::FWException)
 {
     ostringstream ostr;
 
-    if (this->size()==0) return "";
-
-    ostr << getObjectGroupHeader();
-
-    for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
-    {
-        FWObject *o   = *i1;
-        FWObject *obj = o;
-        if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
-
-        ostr << "  ";
-
     switch (getObjectGroupType()) 
     {
     case NETWORK:
@@ -130,10 +120,6 @@ string IOSObjectGroup::toString(NamedObjectManager*)  throw(FWException)
     default:
         throw FWException("Unknown object group type");
     }
-        ostr << endl;
-
-    }
-    ostr << "exit" << endl << endl;
     return ostr.str();
 }
 
@@ -154,7 +140,11 @@ string IOSObjectGroup::getObjectGroupHeader()
 {
     ostringstream ostr;
     ostr << "object-group " << getObjectGroupClass() << " " << this->getName();
-    ostr << endl;
     return ostr.str();
 }
 
+string IOSObjectGroup::getObjectGroupFooter()
+{
+    return "exit";
+}
+

src/cisco_lib/IOSObjectGroup.h

@@ -40,7 +40,10 @@ public:
 
         virtual std::string getObjectGroupClass();
         virtual std::string getObjectGroupHeader();
-        virtual std::string toString(NamedObjectManager *named_obj_manager)
+        virtual std::string getObjectGroupFooter();
+
+        virtual std::string groupMemberToString(
+            libfwbuilder::FWObject *obj, NamedObjectManager *named_obj_manager)
             throw(libfwbuilder::FWException);
     
     };

src/cisco_lib/NATCompiler_asa8.cpp

@@ -323,8 +323,10 @@ void NATCompiler_asa8::compile()
     // by inspector VerifyRules
     add( new ReplaceFirewallObjectsODst("replace fw object in ODst" ));
     add( new ReplaceFirewallObjectsTSrc("replace fw object in TSrc" ));
+
     add( new UseFirewallInterfaces(
-             "replace host objects with firewall's interfaces if the have the same address"));
+             "replace host objects with firewall's interfaces if "
+             "the have the same address"));
 
     // ExpandMultipleAddresses acts on different rule elements
     // depending on the rule type.
@@ -339,6 +341,7 @@ void NATCompiler_asa8::compile()
 
     add( new splitByNetworkZonesForOSrc("split by netzone for OSrc"));
 
+    //add( new groupServicesByProtocol("group services by protocol in OSrv"));
     add( new ConvertToAtomicForOSrv("convert to atomic for OSrv"));
     add( new ConvertToAtomicForTDst("convert to atomic for TDst"));
     add( new ConvertToAtomicForTSrv("convert to atomic for TSrv"));
@@ -357,13 +360,17 @@ void NATCompiler_asa8::compile()
 
     add( new SpecialServicesOSrv( "check for special services" ));
 
-    add( new CreateObjectGroupsForOSrc("create object groups for OSrc"));
-    add( new CreateObjectGroupsForODst("create object groups for ODst"));
-    add( new CreateObjectGroupsForOSrv("create object groups for OSrv"));
+    add( new CreateObjectGroupsForOSrc("create object groups for OSrc",
+                                       named_objects_manager));
+    add( new CreateObjectGroupsForODst("create object groups for ODst",
+                                       named_objects_manager));
+    add( new CreateObjectGroupsForOSrv("create object groups for OSrv",
+                                       named_objects_manager));
 
     // need special rule processor to create object groups in TSrc
     // because of a special tratment that an Interface object gets in TSrc
-    add( new CreateObjectGroupsForTSrc("create object groups for TSrc"));
+    add( new CreateObjectGroupsForTSrc("create object groups for TSrc",
+                                       named_objects_manager));
 
     add( new VerifyValidityOfTSrc("verify objects in TSrc"));
 

src/cisco_lib/NamedObject.h

@@ -56,6 +56,7 @@ public:
             const libfwbuilder::Firewall *fw);
         QString getName() { return name; }
         QString getCommandWord();
+        const libfwbuilder::FWObject* getObject() { return obj; }
     };
 }
 

src/cisco_lib/NamedObjectsAndGroupsSupport.cpp

@@ -158,58 +158,22 @@ bool CreateObjectGroups::processNext()
 
     RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
 
-
-    /*
-     * If rule element holds just one object, then there is no need to create
-     * object group. However if this one object is CustomService, then we
-     * should create the group anyway.
-     */
     if (re->size()==1)
-    {
-        if (XMLTools::version_compare(version, "8.3")>=0)
-        {
-            FWObject *obj = FWReference::getObject(re->front());
-            if (!CustomService::isA(obj))
     {
         tmp_queue.push_back(rule);
         return true;
     }
-        } else
-        {
-            tmp_queue.push_back(rule);
-            return true;
-        }
-    }
-
-    bool supports_mixed_groups =
-        Resources::platform_res[platform]->getResourceBool(
-            string("/FWBuilderResources/Target/options/") +
-            "version_" + version + "/supports_mixed_service_groups");
 
     BaseObjectGroup *obj_group = findObjectGroup(re);
     if (obj_group==NULL)
     {
         //obj_group= new BaseObjectGroup();
         obj_group = ObjectGroupFactory::createObjectGroup(compiler->fw);
+        object_groups->add(obj_group);
 
-        FWObject *obj = FWReference::getObject(re->front());
-        BaseObjectGroup::object_group_type og_type =
-            obj_group->getObjectGroupTypeFromFWObject(obj);
-        obj_group->setObjectGroupType(og_type);
+        packObjects(re, obj_group);
 
-        if (obj_group->isServiceGroup() && supports_mixed_groups && re->size() > 1)
-        {
-            // rule element contains >1 object, check if they are of different types
-            for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1) 
-            {
-                FWObject *obj = FWReference::getObject(*i1);
-                if (og_type != obj_group->getObjectGroupTypeFromFWObject(obj))
-                {
-                    obj_group->setObjectGroupType(BaseObjectGroup::MIXED_SERVICE);
-                    break;
-                }
-            }
-        }
+        obj_group->setObjectGroupTypeFromMembers(named_objects_manager);
 
         QStringList gn;
         if (!rule_iface->getLabel().empty())
@@ -218,11 +182,9 @@ bool CreateObjectGroups::processNext()
         gn.push_back(rule->getUniqueId().c_str());
         gn.push_back(name_suffix.c_str());
 
-        string new_name = gn.join(".").toStdString();
-        obj_group->setName(new_name);
-        object_groups->add(obj_group);
-
-        packObjects(re, obj_group);
+        string group_name = BaseObjectGroup::registerGroupName(
+            gn.join(".").toStdString(), obj_group->getObjectGroupType());
+        obj_group->setName(group_name);
 
     } else
     {
@@ -322,22 +284,9 @@ void printNamedObjectsCommon::printObjectsForRE(RuleElement *re)
     }
 }
 
-bool printNamedObjectsForPolicy::haveCustomService(FWObject *grp)
-{
-    for (FWObject::iterator it=grp->begin(); it!=grp->end(); ++it)
-    {
-        FWObject *obj = FWReference::getObject(*it);
-        if (BaseObjectGroup::constcast(obj)!=NULL)
-        {
-            if (haveCustomService(obj)) return true;
-        } else
-        {
-            if (CustomService::isA(obj)) return true;
-        }
-    }
-    return false;
-}
-
+/*
+ * We do not need object-groups for policy rules.
+ */
 bool printNamedObjectsForPolicy::processNext()
 {
     slurp();
@@ -350,16 +299,12 @@ bool printNamedObjectsForPolicy::processNext()
         PolicyRule *policy_rule = PolicyRule::cast( *k );
         if (policy_rule)
         {
-            // At this time, we only need object groups in policy rules
-            // when CustomService object is used in Service
-
             // RuleElementSrc *src_re = policy_rule->getSrc();  assert(src_re);
             // printObjectsForRE(src_re);
             // RuleElementDst *dst_re = policy_rule->getDst();  assert(dst_re);
             // printObjectsForRE(dst_re);
-
-            RuleElementSrv *srv_re = policy_rule->getSrv();  assert(srv_re);
-            if (haveCustomService(srv_re)) printObjectsForRE(srv_re);
+            // RuleElementSrv *srv_re = policy_rule->getSrv();  assert(srv_re);
+            // if (haveCustomService(srv_re)) printObjectsForRE(srv_re);
         }
     }
 

src/cisco_lib/NamedObjectsAndGroupsSupport.h

@@ -59,6 +59,7 @@ protected:
 
         std::string re_type;
         std::string name_suffix;
+        NamedObjectManager *named_objects_manager;
 
         BaseObjectGroup* findObjectGroup(libfwbuilder::RuleElement *re);
 
@@ -72,8 +73,14 @@ public:
 
         CreateObjectGroups(const std::string &name,
                            const std::string &_ns,
-                   const std::string &_type) :
-            BasicRuleProcessor(name) {re_type=_type; name_suffix=_ns; }
+                           const std::string &_type,
+                           NamedObjectManager *m) :
+            BasicRuleProcessor(name)
+            {
+                re_type=_type;
+                name_suffix=_ns;
+                named_objects_manager = m;
+            }
 
         virtual ~CreateObjectGroups();
         virtual bool processNext();
@@ -85,22 +92,22 @@ public:
     class CreateObjectGroupsForSrc : public CreateObjectGroups
     {
 public:
-        CreateObjectGroupsForSrc(const std::string &n) : 
-          CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME) {}
+CreateObjectGroupsForSrc(const std::string &n, NamedObjectManager *m) : 
+        CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME, m) {}
     };
 
     class CreateObjectGroupsForDst : public CreateObjectGroups
     {
 public:
-        CreateObjectGroupsForDst(const std::string &n) : 
-          CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME) {}
+        CreateObjectGroupsForDst(const std::string &n, NamedObjectManager *m) : 
+        CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME, m) {}
     };
 
     class CreateObjectGroupsForSrv : public CreateObjectGroups
     {
 public:
-        CreateObjectGroupsForSrv(const std::string &n) : 
-          CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {}
+        CreateObjectGroupsForSrv(const std::string &n, NamedObjectManager *m) : 
+        CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME, m) {}
     };
     
 
@@ -110,22 +117,22 @@ public:
     class CreateObjectGroupsForOSrc : public CreateObjectGroups
     {
 public:
-        CreateObjectGroupsForOSrc(const std::string &n) : 
-          CreateObjectGroups(n,"osrc",libfwbuilder::RuleElementOSrc::TYPENAME) {}
+        CreateObjectGroupsForOSrc(const std::string &n, NamedObjectManager *m) : 
+        CreateObjectGroups(n,"osrc",libfwbuilder::RuleElementOSrc::TYPENAME, m){}
     };
 
     class CreateObjectGroupsForODst : public CreateObjectGroups
     {
 public:
-        CreateObjectGroupsForODst(const std::string &n) : 
-          CreateObjectGroups(n,"odst",libfwbuilder::RuleElementODst::TYPENAME) {}
+        CreateObjectGroupsForODst(const std::string &n, NamedObjectManager *m) : 
+        CreateObjectGroups(n,"odst",libfwbuilder::RuleElementODst::TYPENAME, m){}
     };
 
     class CreateObjectGroupsForOSrv : public CreateObjectGroups
     {
 public:
-        CreateObjectGroupsForOSrv(const std::string &n) : 
-          CreateObjectGroups(n,"osrv",libfwbuilder::RuleElementOSrv::TYPENAME) {}
+        CreateObjectGroupsForOSrv(const std::string &n, NamedObjectManager *m) : 
+        CreateObjectGroups(n,"osrv",libfwbuilder::RuleElementOSrv::TYPENAME, m){}
     };
     
     class CreateObjectGroupsForTSrc : public CreateObjectGroups
@@ -136,8 +143,8 @@ protected:
                                  BaseObjectGroup *obj_group);
 
 public:
-        CreateObjectGroupsForTSrc(const std::string &n) : 
-          CreateObjectGroups(n,"tsrc",libfwbuilder::RuleElementTSrc::TYPENAME) {}
+        CreateObjectGroupsForTSrc(const std::string &n, NamedObjectManager *m) : 
+        CreateObjectGroups(n,"tsrc",libfwbuilder::RuleElementTSrc::TYPENAME, m){}
     };
 
 
@@ -177,7 +184,6 @@ public:
 
     class printNamedObjectsForPolicy :  public printNamedObjectsCommon
     {
-        bool haveCustomService(libfwbuilder::FWObject *grp);
 public:
         printNamedObjectsForPolicy(const std::string &n,
             NamedObjectManager *m) : printNamedObjectsCommon(n, m) {}

src/cisco_lib/ObjectGroupFactory.cpp

@@ -47,6 +47,8 @@ BaseObjectGroup* ObjectGroupFactory::createObjectGroup(
     string platform = fw->getStr("platform");
     if (platform == "pix" || platform == "fwsm")
     {
+        //return new PIXObjectGroup(_gt);
+
         if (XMLTools::version_compare(version, "8.0")<0)
             return new PIXObjectGroup(_gt);
         else

src/cisco_lib/PIXObjectGroup.cpp

@@ -43,67 +43,57 @@ using namespace std;
 
 const char *PIXObjectGroup::TYPENAME={"PIXObjectGroup"};
 
-string PIXObjectGroup::toString(NamedObjectManager*)  throw(FWException)
+
+string PIXObjectGroup::groupMemberToString(FWObject *obj,
+                                           NamedObjectManager*)
+    throw(libfwbuilder::FWException)
 {
     ostringstream ostr;
 
-    if (this->size()==0) return "";
-
-    ostr << getObjectGroupHeader();
-
-    for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
-    {
-        FWObject *o   = *i1;
-        FWObject *obj = o;
-        if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
-
     if (this->getObjectGroupType() == NETWORK)
     {
         Address *a = Address::cast(obj);
         assert(a!=NULL);
         const InetAddr *addr = a->getAddressPtr();
-            ostr << " network-object ";
+        ostr << "network-object ";
         if (Network::cast(obj)!=NULL)
         {
             const InetAddr *mask = a->getNetmaskPtr();
             ostr << addr->toString() << " ";
             ostr << mask->toString() << " ";
         } else {
-                ostr << " host ";
+            ostr << "host ";
             ostr << addr->toString() << " ";
         }
-            ostr << endl;
-            continue;
+        return ostr.str();
 
     } else
     {
 
         if (IPService::isA(obj))
         {
-                ostr << " protocol-object ";
+            ostr << "protocol-object ";
             Service *s=Service::cast(obj);
             assert(s!=NULL);
             ostr << s->getProtocolName();
-                ostr << endl;
-                continue;
+            return ostr.str();
         }
 
         if (ICMPService::isA(obj))
         {
-                ostr << " icmp-object ";
+            ostr << "icmp-object ";
             ICMPService *s=ICMPService::cast(obj);
             assert(s!=NULL);
             if ( s->getInt("type")== -1)
                 ostr << "any";
             else
                 ostr << s->getInt("type");
-                ostr << endl;
-                continue;
+            return ostr.str();
         }
 
         if (TCPService::isA(obj) || UDPService::isA(obj))
         {
-                ostr << " port-object ";
+            ostr << "port-object ";
             Service *s=Service::cast(obj);
             assert(s!=NULL);
 
@@ -118,14 +108,14 @@ string PIXObjectGroup::toString(NamedObjectManager*)  throw(FWException)
                 else         ostr << "range " << rs << " " << re;
             }
             else ostr << "range 0 65535";
-                ostr << endl;
-                continue;
+            return ostr.str();
         }
 
-            throw FWException("PIXObjectGroup: Unknown object group type");
+        QString err("PIXObjectGroup: Unsupported object '%1' found in "
+                    "object group");
+        throw FWException(err.arg(obj->getName().c_str()).toStdString());
     }
-    }
-    ostr << " exit" << endl << endl;
+
     return ostr.str();
 }
 
@@ -138,8 +128,14 @@ string PIXObjectGroup::getObjectGroupClass()
     case ICMP_TYPE:       return "icmp-type";
     case TCP_SERVICE:     return "service";
     case UDP_SERVICE:     return "service";
+    case TCP_UDP_SERVICE: return "service";
+    case MIXED_SERVICE:   return "service";;
     default:
-        throw FWException("PIXObjectGroup: Unknown object group type");
+    {
+        QString err("PIXObjectGroup::getObjectGroupClass(): Unknown object "
+                    "group type '%1'");
+        throw FWException(err.arg(this->getObjectGroupType()).toStdString());
+    }
     }
 }
 
@@ -151,9 +147,14 @@ string PIXObjectGroup::getObjectGroupHeader()
     {
     case TCP_SERVICE:     ostr << " tcp"; break;
     case UDP_SERVICE:     ostr << " udp"; break;
+    case TCP_UDP_SERVICE: ostr << " tcp-udp"; break;
     default: break;
     }
-    ostr << endl;
     return ostr.str();
 }
 
+string PIXObjectGroup::getObjectGroupFooter()
+{
+    return "exit";
+}
+

src/cisco_lib/PIXObjectGroup.h

@@ -39,9 +39,11 @@ public:
 
         virtual std::string getObjectGroupClass();
         virtual std::string getObjectGroupHeader();
-        virtual std::string toString(NamedObjectManager *named_obj_manager)
-            throw(libfwbuilder::FWException);
+        virtual std::string getObjectGroupFooter();
 
+        virtual std::string groupMemberToString(
+            libfwbuilder::FWObject *obj, NamedObjectManager *named_obj_manager)
+            throw(libfwbuilder::FWException);
     };
 }
 

src/cisco_lib/PolicyCompiler_iosacl.cpp

@@ -458,9 +458,12 @@ void PolicyCompiler_iosacl::compile()
         add( new splitTCPServiceWithFlags(
                  "separate TCP service with tcp flags"));
 
-        add( new CreateObjectGroupsForSrc("create object groups for Src"));
-        add( new CreateObjectGroupsForDst("create object groups for Dst"));
-        add( new CreateObjectGroupsForSrv("create object groups for Srv"));
+        add( new CreateObjectGroupsForSrc("create object groups for Src",
+                                          named_objects_manager));
+        add( new CreateObjectGroupsForDst("create object groups for Dst",
+                                          named_objects_manager));
+        add( new CreateObjectGroupsForSrv("create object groups for Srv",
+                                          named_objects_manager));
     } else
     {
         add( new ConvertToAtomic ("convert to atomic rules" ) );

src/cisco_lib/PolicyCompiler_pix.cpp

@@ -515,7 +515,6 @@ void PolicyCompiler_pix::compile()
 
     if ( fwopt->getBool("pix_assume_fw_part_of_any"))
     {
-// add( new splitIfSrcAny( "split rule if src is any" ));
         // Note that this splits the rule if Dst==any and one or more
         // icmp services are found in Srv. The name of this rule
         // processor needs to be more descriptive.
@@ -525,12 +524,6 @@ void PolicyCompiler_pix::compile()
     add( new splitIfSrcMatchesFw ("split rule if Src matches FW" ));
     add( new splitIfDstMatchesFw ("split rule if Dst matches FW" ));
 
-// if ( !outbound_acl_supported )
-// add( new fillDirection_v6 ("determine directions" ));
-
-//	if ( fwopt->getBool("pix_replace_natted_objects"))
-// add( new replaceTranslatedAddresses ("replace objects in DST that are TDst in DNAT translations" ));
-
     add( new telnetToFirewall(
              "separate rules controlling telnet to firewall"));
     add( new sshToFirewall("separate rules controlling ssh to firewall" ));
@@ -538,12 +531,12 @@ void PolicyCompiler_pix::compile()
     add( new separateSrcPort("split rules matching source ports"));
     add( new separateCustom("split rules matching custom services"));
 
-    if (XMLTools::version_compare(vers, "8.0")<0)
-    {
+//    if (XMLTools::version_compare(vers, "8.0")<0)
         add( new groupServicesByProtocol("split rules with different protocols"));
-    } 
-    //else
-    //    add( new groupTCPUDP("split rules with TCP or UDP services"));
+//    else
+//        add( new groupTCPUDPServices(
+//                 "split rules to keep TCP and UDP services separate "
+//                 "from other protocols"));
 
     add( new PrepareForICMPCmd("prepare for icmp command" ));
     
@@ -636,9 +629,12 @@ void PolicyCompiler_pix::compile()
              "check if we have objects with errors in rule elements"));
 
 // add( new AvoidObjectGroup("avoid object groups for certain cases"));
-    add( new CreateObjectGroupsForSrc("create object groups for Src"));
-    add( new CreateObjectGroupsForDst("create object groups for Dst"));
-    add( new CreateObjectGroupsForSrv("create object groups for Srv"));
+    add( new CreateObjectGroupsForSrc("create object groups for Src",
+                                      named_objects_manager));
+    add( new CreateObjectGroupsForDst("create object groups for Dst",
+                                      named_objects_manager));
+    add( new CreateObjectGroupsForSrv("create object groups for Srv",
+                                      named_objects_manager));
 
     add( new simplePrintProgress());
 
@@ -646,11 +642,11 @@ void PolicyCompiler_pix::compile()
 
     add( new printClearCommands("Clear ACLs and object groups"));
 
-    if (XMLTools::version_compare(vers, "8.3")>=0)
-    {
-        add( new printNamedObjectsForPolicy(
-                 "definitions of named objects", named_objects_manager));
-    }
+    //if (XMLTools::version_compare(vers, "8.3")>=0)
+    //{
+    //    add( new printNamedObjectsForPolicy(
+    //             "definitions of named objects", named_objects_manager));
+    //}
 
     add( new printObjectGroups(
              "generate code for object groups", named_objects_manager));

src/cisco_lib/PolicyCompiler_pix_writers.cpp

@@ -534,12 +534,14 @@ bool PolicyCompiler_pix::PrintRule::processNext()
     PIXObjectGroup *pgsrv = PIXObjectGroup::cast(srvobj);
     PIXObjectGroup *pgsrc = PIXObjectGroup::cast(srcobj);
     PIXObjectGroup *pgdst = PIXObjectGroup::cast(dstobj);
+    Service *srv_s = Service::cast(srvobj);
+    assert(pgsrv!=NULL || srv_s!=NULL);
 
     if ( pgsrv!=NULL && pgsrv->isServiceGroup())
     {
         aclstr << pgsrv->getSrvTypeName();
     } else
-        aclstr << Service::cast(srvobj)->getProtocolName();
+        aclstr << srv_s->getProtocolName();
 
     aclstr << " ";
 

src/cisco_lib/specialServices.cpp

@@ -78,12 +78,11 @@ bool SpecialServices::processNext()
         }
     }
 
-    if (CustomService::cast(s)!=NULL &&
-        XMLTools::version_compare(version, "8.3")<0)
+    if (CustomService::cast(s)!=NULL)
     {
         compiler->abort(
             rule, 
-            "CustomService objects are only supported for ASA 8.3 and later");
+            "CustomService objects are not supported");
         return true;
     }
 

src/libfwbuilder/src/fwcompiler/Compiler.h

@@ -538,6 +538,19 @@ protected:
             groupServicesByProtocol(const std::string &name) : groupServices(name){}
         };
 
+	/**
+	 * split rules with more than one service object, so that all
+	 * tcp and udp services are in one rule and all other
+	 * protocols are in the other
+	 */
+        class groupTCPUDPServices: public groupServices
+        {
+            protected:
+            virtual int groupingCode(const libfwbuilder::Service *srv);
+            public:
+            groupTCPUDPServices(const std::string &name) : groupServices(name){}
+        };
+        
         /**
 	 * separate service object that satisfies condition
 	 * implemented in the virtual method "condition" so we have

src/libfwbuilder/src/fwcompiler/ServiceRuleProcessors.cpp

@@ -105,6 +105,11 @@ int Compiler::groupServicesByProtocol::groupingCode(const Service *srv)
     return srv->getProtocolNumber();
 }
 
+int Compiler::groupTCPUDPServices::groupingCode(const Service *srv)
+{
+    return ( TCPService::isA(srv) || UDPService::isA(srv));
+}
+
 Compiler::separateServiceObject::separateServiceObject(
     const string &name) : BasicRuleProcessor(name)
 {

test/pix/Makefile

@@ -0,0 +1,17 @@
+
+FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort)
+CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort)
+
+
+$(FW_OBJECTS):
+	fwb_pix -f objects-for-regression-tests.fwb -xt $@
+
+$(CL_OBJECTS):
+	fwb_pix -f cluster-tests.fwb -xt -xc $@
+
+.PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS)
+all: firewalls clusters
+
+firewalls: $(FW_OBJECTS)
+
+clusters: $(CL_OBJECTS)

test/pix/objects-for-regression-tests.fwb

@@ -1381,7 +1381,7 @@
           <CustomServiceCommand platform="ipfw"></CustomServiceCommand>
           <CustomServiceCommand platform="iptables"></CustomServiceCommand>
           <CustomServiceCommand platform="pf"></CustomServiceCommand>
-          <CustomServiceCommand platform="pix">resetinbound interface outside</CustomServiceCommand>
+          <CustomServiceCommand platform="pix">tcp destination neq 8080</CustomServiceCommand>
           <CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
           <CustomServiceCommand platform="unknown"></CustomServiceCommand>
         </CustomService>
@@ -17022,7 +17022,7 @@ no sysopt nodnsalias outbound
         </Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295315133" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
+      <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295404811" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
         <NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id70310X19497" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -17475,7 +17475,7 @@ no sysopt nodnsalias outbound
           <Option name="xlate_ss">0</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id86621X27607" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295315133" platform="pix" version="8.3" name="firewall81" comment="test for the warning issued when translated address is used in&#10;policy rule&#10;" ro="False">
+      <Firewall id="id86621X27607" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295404811" platform="pix" version="8.3" name="firewall81" comment="test for the warning issued when translated address is used in&#10;policy rule&#10;" ro="False">
         <NAT id="id86771X27607" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id138353X27607" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -18430,7 +18430,7 @@ no sysopt nodnsalias outbound
           <Option name="xlate_ss">0</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295315390" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
+      <Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295404811" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
         <NAT id="id19920X26146" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id19921X26146" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -19093,7 +19093,50 @@ no sysopt nodnsalias outbound
               <Option name="stateless">True</Option>
             </PolicyRuleOptions>
           </PolicyRule>
-          <PolicyRule id="id19907X26146" disabled="False" log="False" position="1" action="Deny" direction="Both" comment="">
+          <PolicyRule id="id119026X32145" disabled="False" group="" log="False" position="1" action="Deny" direction="Both" comment="for #1942&#10;using custom service">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="host-hostA"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id21571X21575"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="color">#C0BA44</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id118979X32145" disabled="False" group="" log="False" position="2" action="Deny" direction="Both" comment="for #1942&#10;using custom service">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="host-hostA"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id21571X21575"/>
+              <ServiceRef ref="id3B5009F7"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="color">#C0BA44</Option>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id19907X26146" disabled="False" log="False" position="3" action="Deny" direction="Both" comment="">
             <Src neg="False">
               <ObjectRef ref="sysid0"/>
             </Src>