see #1965 ASA Policy - PIX 6.1 configurations use object groups

doc/ChangeLog

@@ -1,5 +1,11 @@
 2011-01-20  vadim  <vadim@netcitadel.com>
 
+	* PolicyCompiler_pix.cpp (compile): See #1965 "ASA Policy - PIX
+	6.1 configurations use object groups". Policy compiler for PIX is
+	now aware that object-group statement was introduced in PIX v6.2
+	and avoids using object-groups when firewall object version is set
+	to 6.1
+
 	* NamedObjectsAndGroupsSupport.cpp (processNext): made names
 	automatically assigned to object-groups in generated PIX
 	configuration shorter by removing interface label prefix.

src/cisco_lib/PolicyCompiler_pix.cpp

@@ -421,11 +421,15 @@ void PolicyCompiler_pix::compile()
 
     string vers = fw->getStr("version");
     string platform = fw->getStr("platform");
-    bool   outbound_acl_supported = Resources::platform_res[platform]->getResourceBool(
+    bool outbound_acl_supported = Resources::platform_res[platform]->getResourceBool(
         string("/FWBuilderResources/Target/options/")+
         "version_"+vers+
         "/pix_outbound_acl_supported");
     bool generate_out_acl = fw->getOptionsObject()->getBool("pix_generate_out_acl");
+    bool object_groups_supported = Resources::platform_res[platform]->getResourceBool(
+        string("/FWBuilderResources/Target/options/")+
+        "version_"+vers+
+        "/pix_object_groups_supported");
 
     if (outbound_acl_supported && !generate_out_acl)
     {
@@ -629,13 +633,20 @@ void PolicyCompiler_pix::compile()
     add( new checkForObjectsWithErrors(
              "check if we have objects with errors in rule elements"));
 
+    if (object_groups_supported)
+    {
 // add( new AvoidObjectGroup("avoid object groups for certain cases"));
-    add( new CreateObjectGroupsForSrc("create object groups for Src",
-                                      named_objects_manager));
-    add( new CreateObjectGroupsForDst("create object groups for Dst",
-                                      named_objects_manager));
-    add( new CreateObjectGroupsForSrv("create object groups for Srv",
-                                      named_objects_manager));
+        add( new CreateObjectGroupsForSrc("create object groups for Src",
+                                          named_objects_manager));
+        add( new CreateObjectGroupsForDst("create object groups for Dst",
+                                          named_objects_manager));
+        add( new CreateObjectGroupsForSrv("create object groups for Srv",
+                                          named_objects_manager));
+    } else
+    {
+        add( new ConvertToAtomic ("convert to atomic rules" ));
+    }
+
 
     add( new simplePrintProgress());
 
@@ -651,6 +662,7 @@ void PolicyCompiler_pix::compile()
 
     add( new printObjectGroups(
              "generate code for object groups", named_objects_manager));
+
     add( new PrintRule("generate code for ACLs"));
     add( new simplePrintProgress());
 

src/res/platform/fwsm.xml

@@ -46,6 +46,8 @@
           <pix_route_dnat_supported>false</pix_route_dnat_supported>
           <pix_outbound_acl_supported>true</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>true</pix_object_groups_supported>
+
           <pix_commands>
             <clear_acl>clear access-list</clear_acl>
             <clear_og>clear object-group</clear_og>
@@ -140,6 +142,8 @@ nameif %in %il security%sl
           <pix_route_dnat_supported>false</pix_route_dnat_supported>
           <pix_outbound_acl_supported>true</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>true</pix_object_groups_supported>
+
           <pix_commands>
             <clear_acl>clear config access-list</clear_acl>
             <clear_og>clear config object-group</clear_og>

src/res/platform/pix.xml

@@ -46,6 +46,7 @@
           <pix_route_dnat_supported>true</pix_route_dnat_supported>
           <pix_outbound_acl_supported>false</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>false</pix_object_groups_supported>
 
           <supports_mixed_service_groups>False</supports_mixed_service_groups>
 
@@ -130,6 +131,7 @@
           <pix_route_dnat_supported>true</pix_route_dnat_supported>
           <pix_outbound_acl_supported>false</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>true</pix_object_groups_supported>
 
           <supports_mixed_service_groups>False</supports_mixed_service_groups>
 
@@ -214,6 +216,7 @@
           <pix_route_dnat_supported>false</pix_route_dnat_supported>
           <pix_outbound_acl_supported>false</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>false</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>true</pix_object_groups_supported>
 
           <supports_mixed_service_groups>False</supports_mixed_service_groups>
 
@@ -298,6 +301,7 @@
           <pix_route_dnat_supported>false</pix_route_dnat_supported>
           <pix_outbound_acl_supported>true</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>true</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>true</pix_object_groups_supported>
 
           <supports_mixed_service_groups>False</supports_mixed_service_groups>
 
@@ -383,6 +387,7 @@
           <pix_route_dnat_supported>false</pix_route_dnat_supported>
           <pix_outbound_acl_supported>true</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>true</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>true</pix_object_groups_supported>
 
           <supports_mixed_service_groups>True</supports_mixed_service_groups>
 
@@ -468,6 +473,7 @@
           <pix_route_dnat_supported>false</pix_route_dnat_supported>
           <pix_outbound_acl_supported>true</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>true</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>true</pix_object_groups_supported>
 
           <supports_mixed_service_groups>True</supports_mixed_service_groups>
 
@@ -554,6 +560,7 @@
           <pix_route_dnat_supported>false</pix_route_dnat_supported>
           <pix_outbound_acl_supported>true</pix_outbound_acl_supported>
           <pix_timeout_rpc_is_sunrpc>true</pix_timeout_rpc_is_sunrpc>
+          <pix_object_groups_supported>true</pix_object_groups_supported>
 
           <supports_mixed_service_groups>True</supports_mixed_service_groups>
 

test/pix/cluster1-1_pix1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:31 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:20 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/cluster1-1_pix2.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:31 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:20 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/cluster1_pix1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:31 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:20 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/cluster1_pix2.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:31 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:20 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/firewall.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:17 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:05 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:17 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:05 2011 PST by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
@@ -67,11 +67,6 @@ floodguard disable
 
 
 !################
-
-object-group icmp-type id3D50B022.srv.icmp.0
-  icmp-object 8
-  icmp-object 11
-exit
 ! 
 ! Rule  2 (eth1)
 ! Anti-spoofing rule
@@ -83,18 +78,22 @@ access-list outside_acl_in deny   ip 192.168.1.0 255.255.255.0 any
 access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any 
 ! 
 ! Rule  4 (eth1)
-icmp permit any 8 outside
-icmp permit any 11 outside
-access-list outside_acl_in permit icmp any interface outside object-group id3D50B022.srv.icmp.0 
+icmp permit any 8  outside
+access-list outside_acl_in permit icmp any interface outside 8 
+icmp permit any 11  outside
+access-list outside_acl_in permit icmp any interface outside 11 
 ! 
 ! Rule  5 (eth1)
-access-list outside_acl_in permit icmp any any object-group id3D50B022.srv.icmp.0 
+access-list outside_acl_in permit icmp any any 8 
+access-list outside_acl_in permit icmp any any 11 
 ! 
 ! Rule  6 (eth1,eth2)
-access-list outside_acl_in permit icmp any interface outside object-group id3D50B022.srv.icmp.0 
-icmp permit any 8 dmz
-icmp permit any 11 dmz
-access-list dmz_acl_in permit icmp any host 192.168.2.1 object-group id3D50B022.srv.icmp.0 
+access-list outside_acl_in permit icmp any interface outside 8 
+access-list outside_acl_in permit icmp any interface outside 11 
+icmp permit any 8  dmz
+access-list dmz_acl_in permit icmp any host 192.168.2.1 8 
+icmp permit any 11  dmz
+access-list dmz_acl_in permit icmp any host 192.168.2.1 11 
 ! 
 ! Rule  9 (global)
 telnet 0.0.0.0 0.0.0.0 inside

test/pix/firewall10.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:18 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:06 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall11.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:18 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:06 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall12.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:19 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:07 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall13.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:19 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:07 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall14.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:20 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:08 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall2.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:20 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:08 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall20.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:21 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:09 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall21-1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:21 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:09 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall21.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:21 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:09 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/firewall22.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:21 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:10 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/firewall3.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:22 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:10 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall33.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:22 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:10 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall34.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:23 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:11 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall4.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:23 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:11 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall50.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:24 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:12 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/firewall6.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:24 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:12 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall8.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:25 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:13 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported

test/pix/firewall80.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:25 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:13 2011 PST by vadim
 !
 ! Compiled for pix 8.2
 ! Outbound ACLs: supported

test/pix/firewall81.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:25 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:14 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported

test/pix/firewall82.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:26 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:14 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported

test/pix/firewall83.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:26 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:14 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported

test/pix/firewall9.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:27 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:15 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported

test/pix/firewall90.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:27 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:15 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported

test/pix/firewall91.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:27 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:16 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported

test/pix/firewall92.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:28 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:16 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported

test/pix/firewall93.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:28 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:16 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported

test/pix/fwsm1.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:29 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:17 2011 PST by vadim
 !
 ! Compiled for fwsm 2.3
 ! Outbound ACLs: supported

test/pix/fwsm2.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:29 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:17 2011 PST by vadim
 !
 ! Compiled for fwsm 4.x
 ! Outbound ACLs: supported

test/pix/pix515.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:30 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:18 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported

test/pix/real.fw.orig

@@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3440
 !
-!  Generated Thu Jan 20 09:48:30 2011 PST by vadim
+!  Generated Thu Jan 20 10:08:18 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported