From 83cd816c40da8fcb3458ffbfefda60f60e585467 Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netcitadel.com>
Date: Wed, 20 Jan 2010 06:38:01 +0000
Subject: [PATCH] * (createNATCmd::processNext): fixes #1114: "fwb_pix crash
 when fw with dynamic interface is used in TDst".

---
 build_num                                 |  2 +-
 doc/ChangeLog                             |  3 +
 src/cisco_lib/NATCompiler_pix.cpp         | 23 ++++---
 test/pix/objects-for-regression-tests.fwb | 77 +++++++++++++++++++++--
 4 files changed, 91 insertions(+), 14 deletions(-)

diff --git a/build_num b/build_num
index 86c1cedc8..b96ff4f0c 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 2392
+#define BUILD_NUM 2393
diff --git a/doc/ChangeLog b/doc/ChangeLog
index eaecf722d..58a167140 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -8,6 +8,9 @@
 	NAT rule for PIX firewall, compiler generated configuration that
 	used subnet instead of just the address of the inetrface.
 
+	* (createNATCmd::processNext): fixes #1114: "fwb_pix crash when fw
+	with dynamic interface is used in TDst".
+
 	* ../src/iptlib/NATCompiler_ipt.cpp (VerifyRules2::processNext):
 	fixes #1109: "rules that do not pass verifyRules() checks may
 	cause compiler crash in test mode or gui crash in single rule
diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp
index a7c1df983..ed227d331 100644
--- a/src/cisco_lib/NATCompiler_pix.cpp
+++ b/src/cisco_lib/NATCompiler_pix.cpp
@@ -53,6 +53,12 @@ using namespace std;
 
 string NATCompiler_pix::myPlatformName() { return "pix"; }
 
+string _print_addr(const InetAddr* addr)
+{
+    if (addr) return addr->toString();
+    return "NULL";
+}
+
 NATCompiler_pix::NATCompiler_pix(FWObjectDatabase *_db,
                                  Firewall *fw,
                                  bool ipv6_policy,
@@ -130,11 +136,11 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
             os << " rule=" << natcmd->rule_label;
             os << " nat_acl_name=" << natcmd->nat_acl_name;
             os << " (" << nat_acl_names[natcmd->nat_acl_name] << ")";
-            os << " o_src=" <<  natcmd->o_src->getAddressPtr()->toString();
-            os << " o_dst=" <<  natcmd->o_dst->getAddressPtr()->toString();
+            os << " o_src=" <<  _print_addr(natcmd->o_src->getAddressPtr());
+            os << " o_dst=" <<  _print_addr(natcmd->o_dst->getAddressPtr());
             os << " o_srv=" <<  natcmd->o_srv->getName();
             os << " o_iface=" <<  natcmd->o_iface->getLabel();
-            os << " t_addr=" <<  natcmd->t_addr->getAddressPtr()->toString();
+            os << " t_addr=" <<  _print_addr(natcmd->t_addr->getAddressPtr());
             os << " t_iface=" <<  natcmd->t_iface->getLabel();
             os << " ignore_global=" << string((natcmd->ignore_global)?"1":"0");
             os << " ignore_nat=" << string((natcmd->ignore_nat)?"1":"0");
@@ -152,15 +158,15 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
         StaticCmd *scmd=static_commands[ rule->getInt("sc_cmd") ];
         if (scmd!=NULL)
         {
-            string iaddr_str = (scmd->iaddr->getAddressPtr())?scmd->iaddr->getAddressPtr()->toString():"NULL";
-            string oaddr_str = (scmd->oaddr->getAddressPtr())?scmd->oaddr->getAddressPtr()->toString():"NULL";
+            string iaddr_str = _print_addr(scmd->iaddr->getAddressPtr());
+            string oaddr_str = _print_addr(scmd->oaddr->getAddressPtr());
 
             os << " StaticCmd:";
             os << " acl=" << scmd->acl_name;
             os << " (" << nat_acl_names[scmd->acl_name] << ")";
             os << " iaddr=" << iaddr_str;
             os << " oaddr=" << oaddr_str;
-            os << " osrc=" << scmd->osrc->getAddressPtr()->toString();
+            os << " osrc=" << _print_addr(scmd->osrc->getAddressPtr());
             os << " osrv=" << scmd->osrv->getName();
             os << " tsrv=" << scmd->tsrv->getName();
         }
@@ -835,7 +841,6 @@ bool NATCompiler_pix::createNATCmd::processNext()
 //    Helper helper(compiler);
     NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
     NATRule *rule=getNext(); if (rule==NULL) return false;
-    tmp_queue.push_back(rule);
 
     if (rule->getRuleType()==NATRule::SNAT) 
     {
@@ -881,7 +886,8 @@ bool NATCompiler_pix::createNATCmd::processNext()
 /*
  * "nat ... outside" is only supported in PIX 6.2
  */
-        natcmd->outside= ( natcmd->o_iface->getSecurityLevel()<natcmd->t_iface->getSecurityLevel());
+        natcmd->outside =
+            ( natcmd->o_iface->getSecurityLevel() < natcmd->t_iface->getSecurityLevel());
 
         if (natcmd->outside && compiler->fw->getStr("platform")=="pix" &&
             libfwbuilder::XMLTools::version_compare(compiler->fw->getStr("version"),"6.2")<0 )
@@ -901,6 +907,7 @@ bool NATCompiler_pix::createNATCmd::processNext()
         nat_id_counter++;
     }
 
+    tmp_queue.push_back(rule);
     return true;
 }
 
diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb
index 6eb0cc886..82e675ff1 100644
--- a/test/pix/objects-for-regression-tests.fwb
+++ b/test/pix/objects-for-regression-tests.fwb
@@ -2026,7 +2026,7 @@
           <Option name="xlate_ss">0</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id3AF5AA0A" host_OS="pix_os" lastCompiled="1145688299" lastInstalled="0" lastModified="0" platform="pix" version="6.1" name="firewall1" comment="this object is used to test all kinds of negation in policy rules" ro="False">
+      <Firewall id="id3AF5AA0A" host_OS="pix_os" inactive="False" lastCompiled="1145688299" lastInstalled="0" lastModified="1263969139" platform="pix" version="6.3" name="firewall1" comment="this object is used to test all kinds of negation in policy rules" ro="False">
         <NAT id="id3AF5AA0D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id3C98491C" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -2070,7 +2070,74 @@
             </TSrv>
             <NATRuleOptions/>
           </NATRule>
-          <NATRule id="id3B1328FB" disabled="False" position="2" action="Translate" comment="">
+          <NATRule id="id579976X27842" disabled="False" group="" position="2" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+              <ObjectRef ref="id3B022266"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id3B0B4BC8"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id572656X27842" disabled="False" group="" position="3" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+              <ObjectRef ref="id3B022266"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id3AF5AA99"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id580015X27842" disabled="False" group="" position="4" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+              <ObjectRef ref="id3B022266"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id3AF5AA99"/>
+              <ObjectRef ref="id3B0B4BC8"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <NATRuleOptions/>
+          </NATRule>
+          <NATRule id="id3B1328FB" disabled="False" position="5" action="Translate" comment="">
             <OSrc neg="False">
               <ObjectRef ref="net-Internal_net"/>
               <ObjectRef ref="id3B022266"/>
@@ -2522,15 +2589,15 @@
           <RuleSetOptions/>
         </Routing>
         <Interface id="id3AF5AA96" dedicated_failover="False" dyn="False" label="inside" mgmt="True" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
-          <IPv4 id="id3AF5AA96-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
+          <IPv4 id="id3AF5AA96-ipv4" name="firewall1:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
         <Interface id="id3AF5AA99" dedicated_failover="False" dyn="True" label="outside" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
-          <IPv4 id="id3AF5AA99-ipv4" name="address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
+          <IPv4 id="id3AF5AA99-ipv4" name="firewall1:eth1:ip" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
           <InterfaceOptions/>
         </Interface>
         <Interface id="id3B0B4BC8" dedicated_failover="False" dyn="False" label="dmz" network_zone="id3B022266" security_level="50" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
-          <IPv4 id="id3B0B4BC8-ipv4" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
+          <IPv4 id="id3B0B4BC8-ipv4" name="firewall1:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
           <InterfaceOptions/>
         </Interface>
         <Management address="192.168.1.1">