onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 10:47:16 +01:00
Code Issues Releases Wiki Activity

* (createNATCmd::processNext): fixes #1114: "fwb_pix crash when fw

Browse Source 
with dynamic interface is used in TDst".
This commit is contained in:
Vadim Kurland 2010-01-20 06:38:01 +00:00
parent 988b82f0a8
commit 83cd816c40
4 changed files with 91 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2392
#define BUILD_NUM 2393

3
doc/ChangeLog
View File

@ -8,6 +8,9 @@
NAT rule for PIX firewall, compiler generated configuration that
used subnet instead of just the address of the inetrface.
* (createNATCmd::processNext): fixes #1114: "fwb_pix crash when fw
with dynamic interface is used in TDst".
* ../src/iptlib/NATCompiler_ipt.cpp (VerifyRules2::processNext):
fixes #1109: "rules that do not pass verifyRules() checks may
cause compiler crash in test mode or gui crash in single rule

23
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -53,6 +53,12 @@ using namespace std;
string NATCompiler_pix::myPlatformName() { return "pix"; }
string _print_addr(const InetAddr* addr)
{
if (addr) return addr->toString();
return "NULL";
}
NATCompiler_pix::NATCompiler_pix(FWObjectDatabase *_db,
Firewall *fw,
bool ipv6_policy,
@ -130,11 +136,11 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
os << " rule=" << natcmd->rule_label;
os << " nat_acl_name=" << natcmd->nat_acl_name;
os << " (" << nat_acl_names[natcmd->nat_acl_name] << ")";
os << " o_src=" << natcmd->o_src->getAddressPtr()->toString();
os << " o_dst=" << natcmd->o_dst->getAddressPtr()->toString();
os << " o_src=" << _print_addr(natcmd->o_src->getAddressPtr());
os << " o_dst=" << _print_addr(natcmd->o_dst->getAddressPtr());
os << " o_srv=" << natcmd->o_srv->getName();
os << " o_iface=" << natcmd->o_iface->getLabel();
os << " t_addr=" << natcmd->t_addr->getAddressPtr()->toString();
os << " t_addr=" << _print_addr(natcmd->t_addr->getAddressPtr());
os << " t_iface=" << natcmd->t_iface->getLabel();
os << " ignore_global=" << string((natcmd->ignore_global)?"1":"0");
os << " ignore_nat=" << string((natcmd->ignore_nat)?"1":"0");
@ -152,15 +158,15 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
StaticCmd *scmd=static_commands[ rule->getInt("sc_cmd") ];
if (scmd!=NULL)
{
string iaddr_str = (scmd->iaddr->getAddressPtr())?scmd->iaddr->getAddressPtr()->toString():"NULL";
string oaddr_str = (scmd->oaddr->getAddressPtr())?scmd->oaddr->getAddressPtr()->toString():"NULL";
string iaddr_str = _print_addr(scmd->iaddr->getAddressPtr());
string oaddr_str = _print_addr(scmd->oaddr->getAddressPtr());
os << " StaticCmd:";
os << " acl=" << scmd->acl_name;
os << " (" << nat_acl_names[scmd->acl_name] << ")";
os << " iaddr=" << iaddr_str;
os << " oaddr=" << oaddr_str;
os << " osrc=" << scmd->osrc->getAddressPtr()->toString();
os << " osrc=" << _print_addr(scmd->osrc->getAddressPtr());
os << " osrv=" << scmd->osrv->getName();
os << " tsrv=" << scmd->tsrv->getName();
}
@ -835,7 +841,6 @@ bool NATCompiler_pix::createNATCmd::processNext()
// Helper helper(compiler);
NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
if (rule->getRuleType()==NATRule::SNAT)
{
@ -881,7 +886,8 @@ bool NATCompiler_pix::createNATCmd::processNext()
/*
* "nat ... outside" is only supported in PIX 6.2
*/
natcmd->outside= ( natcmd->o_iface->getSecurityLevel()<natcmd->t_iface->getSecurityLevel());
natcmd->outside =
( natcmd->o_iface->getSecurityLevel() < natcmd->t_iface->getSecurityLevel());
if (natcmd->outside && compiler->fw->getStr("platform")=="pix" &&
libfwbuilder::XMLTools::version_compare(compiler->fw->getStr("version"),"6.2")<0 )
@ -901,6 +907,7 @@ bool NATCompiler_pix::createNATCmd::processNext()
nat_id_counter++;
}
tmp_queue.push_back(rule);
return true;
}

77
test/pix/objects-for-regression-tests.fwb
View File

@ -2026,7 +2026,7 @@
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3AF5AA0A" host_OS="pix_os" lastCompiled="1145688299" lastInstalled="0" lastModified="0" platform="pix" version="6.1" name="firewall1" comment="this object is used to test all kinds of negation in policy rules" ro="False">
<Firewall id="id3AF5AA0A" host_OS="pix_os" inactive="False" lastCompiled="1145688299" lastInstalled="0" lastModified="1263969139" platform="pix" version="6.3" name="firewall1" comment="this object is used to test all kinds of negation in policy rules" ro="False">
<NAT id="id3AF5AA0D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3C98491C" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -2070,7 +2070,74 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id3B1328FB" disabled="False" position="2" action="Translate" comment="">
<NATRule id="id579976X27842" disabled="False" group="" position="2" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B0B4BC8"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id572656X27842" disabled="False" group="" position="3" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA99"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id580015X27842" disabled="False" group="" position="4" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3AF5AA99"/>
<ObjectRef ref="id3B0B4BC8"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id3B1328FB" disabled="False" position="5" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
@ -2522,15 +2589,15 @@
<RuleSetOptions/>
</Routing>
<Interface id="id3AF5AA96" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3AF5AA96-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<IPv4 id="id3AF5AA96-ipv4" name="firewall1:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3AF5AA99" dedicated_failover="False" dyn="True" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3AF5AA99-ipv4" name="address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<IPv4 id="id3AF5AA99-ipv4" name="firewall1:eth1:ip" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3B0B4BC8" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3B0B4BC8-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<IPv4 id="id3B0B4BC8-ipv4" name="firewall1:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.1.1">