onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 10:17:16 +01:00
Code Issues Releases Wiki Activity

refs #1886 added support for no-nat ("identity nat") rules

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-07 16:38:23 -08:00
parent 5313a94c86
commit 88666086ab
4 changed files with 483 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -94,13 +94,13 @@ bool NATCompiler_asa8::VerifyRules::processNext()
return true;
}
if (rule->getRuleType()==NATRule::NONAT && (!osrv->isAny() || !tsrv->isAny()))
{
compiler->abort(
rule,
"'no nat' rules should have no services");
return true;
}
// if (rule->getRuleType()==NATRule::NONAT && (!osrv->isAny() || !tsrv->isAny()))
// {
// compiler->abort(
// rule,
// "'no nat' rules should have no services");
// return true;
// }
if (osrc->getNeg() ||
odst->getNeg() ||

12
src/cisco_lib/NATCompiler_asa8_writers.cpp
View File

@ -133,6 +133,7 @@ NATCompiler_asa8::PrintRule::PrintRule(const std::string &name) :
void NATCompiler_asa8::PrintRule::printNONAT(libfwbuilder::NATRule *rule)
{
printSDNAT(rule);
}
void NATCompiler_asa8::PrintRule::printSNAT(libfwbuilder::NATRule *rule)
@ -171,11 +172,14 @@ void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule)
cmd << "source";
if (!tsrc->isAny()) cmd << "dynamic";
else cmd << "static";
if (tsrc->isAny()) cmd << "static";
else cmd << "dynamic";
cmd << pix_comp->getASA8Object(osrc)->getCommandWord();
cmd << pix_comp->getASA8Object(tsrc)->getCommandWord();
if (tsrc->isAny())
cmd << pix_comp->getASA8Object(osrc)->getCommandWord();
else
cmd << pix_comp->getASA8Object(tsrc)->getCommandWord();
// only need "destination" part if ODst is not any
if (!odst->isAny())
@ -190,7 +194,7 @@ void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule)
cmd << pix_comp->getASA8Object(tdst)->getCommandWord();
}
if (!osrv->isAny())
if (!osrv->isAny() && osrv->getId() != tsrv->getId())
{
cmd << "service";
cmd << pix_comp->getASA8Object(osrv)->getCommandWord();

156
test/pix/firewall92.fw.orig Executable file
View File

@ -0,0 +1,156 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Fri Jan 7 16:37:17 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
! Emulate outbound ACLs: yes
! Generating outbound ACLs: no
! Assume firewall is part of any: yes
!
!# files: * firewall92.fw
!
! testing new style ASA 8.3 nat commands
! no-nat rules ("identity nat")
!
! Prolog script:
!
!
! End of prolog script:
!
interface FastEthernet0
nameif inside
security-level 100
exit
interface FastEthernet1
nameif outside
security-level 0
exit
no logging buffered
no logging console
no logging timestamp
no logging on
timeout xlate 3:0:0
timeout conn 1:0:0
timeout udp 0:2:0
timeout sunrpc 0:10:0
timeout h323 0:5:0
timeout sip 0:30:0
timeout sip_media 0:0:0
timeout half-closed 0:0:0
timeout uauth 2:0:0 absolute
clear config ssh
aaa authentication ssh console LOCAL
clear config snmp-server
no snmp-server enable traps
clear config ntp
no service resetinbound
no service resetoutside
no sysopt connection timewait
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
service-policy global_policy global
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
router-alert action clear
!################
clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
access-list inside_acl_in deny ip any any
access-list outside_acl_in deny ip any any
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
object network Internal_net
subnet 192.168.1.0 255.255.255.0
quit
object service http
service tcp destination eq 80
quit
object network hostA:eth0
host 192.168.1.10
quit
object service smtp
service tcp destination eq 25
quit
object network spamhost1
host 61.150.47.112
quit
object network internal_subnet_1
subnet 192.168.1.0 255.255.255.192
quit
object network internal_subnet_2
subnet 192.168.1.64 255.255.255.192
quit
object network test_range_1
range 192.168.1.11 192.168.1.15
quit
!
! Rule 0 (NAT)
nat (inside,outside) source static Internal_net Internal_net
!
! Rule 1 (NAT)
nat (inside,outside) source static hostA:eth0 hostA:eth0
!
! Rule 2 (NAT)
nat (inside,outside) source static hostA:eth0 hostA:eth0 destination static spamhost1 spamhost1
!
! Rule 3 (NAT)
nat (inside,outside) source static internal_subnet_1 internal_subnet_1
nat (inside,outside) source static internal_subnet_2 internal_subnet_2
!
! Rule 4 (NAT)
nat (inside,outside) source static test_range_1 test_range_1 destination static spamhost1 spamhost1
!
! Epilog script:
!
! End of epilog script:
!

315
test/pix/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1294445191" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1294446618" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -18228,7 +18228,7 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294429194" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
<Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294446761" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
<NAT id="id19920X26146" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id19921X26146" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -18336,7 +18336,7 @@ no sysopt nodnsalias outbound
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id178073X29963" disabled="False" group="" position="5" action="Translate" comment="double nat. Not supported yet, but with&#10;double nat feature in asa 8,3 we could &#10;support them">
<NATRule id="id178073X29963" disabled="False" group="" position="5" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
@ -18866,6 +18866,315 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id20320X6113" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294446808" platform="pix" version="8.3" name="firewall92" comment="testing new style ASA 8.3 nat commands&#10;no-nat rules (&quot;identity nat&quot;)&#10;&#10;" ro="False">
<NAT id="id20354X6113" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id20818X6113" disabled="False" group="" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id20710X6113" disabled="False" group="" position="1" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id20546X6113" disabled="False" group="" position="2" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id4388C37D674"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id20655X6113" disabled="False" group="" position="3" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id178241X29963"/>
<ObjectRef ref="id178250X29963"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id20600X6113" disabled="False" group="" position="4" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3CD8769F"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id4388C37D674"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id20340X6113" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id20341X6113" disabled="False" log="False" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id20426X6113" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id20328X6113" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="net-Internal_net" security_level="100" unnum="False" unprotected="False" name="FastEthernet0" comment="" ro="False">
<IPv4 id="id20331X6113" name="firewall92:FastEthernet0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id20333X6113" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="FastEthernet1" comment="" ro="False">
<IPv4 id="id20337X6113" name="firewall92:FastEthernet1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<IPv4 id="id20338X6113" name="firewall92:FastEthernet1:ip-1" comment="" ro="False" address="22.22.22.23" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="22.22.22.22">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="conn_hh">1</Option>
<Option name="conn_mm">0</Option>
<Option name="conn_ss">0</Option>
<Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
<Option name="debug">False</Option>
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="dyn_addr">False</Option>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="filesystem"></Option>
<Option name="firewall_dir"></Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ftp_fixup">2 21 0 strict 0</Option>
<Option name="h323_h225_fixup">2 1720 1720 nil 0</Option>
<Option name="h323_hh">0</Option>
<Option name="h323_mm">5</Option>
<Option name="h323_ras_fixup">2 1718 1719 nil 0</Option>
<Option name="h323_ss">0</Option>
<Option name="half-closed_hh">0</Option>
<Option name="half-closed_mm">0</Option>
<Option name="half-closed_ss">0</Option>
<Option name="http_fixup">2 80 80 nil 0</Option>
<Option name="icmp_error_fixup">2 0 0 nil 0</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ils_fixup">2 389 389 nil 0</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"></Option>
<Option name="inst_script"></Option>
<Option name="install_script"></Option>
<Option name="ip_options_eool_fixup">0 0 0 nil 0</Option>
<Option name="ip_options_nop_fixup">1 0 0 nil 0</Option>
<Option name="ip_options_rtralt">2 0 0 nil 0</Option>
<Option name="ip_options_rtralt_fixup">3 0 0 nil 0</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="load_modules">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"></Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pix_acl_basic">True</Option>
<Option name="pix_acl_no_clear">False</Option>
<Option name="pix_acl_substitution">False</Option>
<Option name="pix_acl_temp_addr"></Option>
<Option name="pix_add_clear_statements">True</Option>
<Option name="pix_assume_fw_part_of_any">True</Option>
<Option name="pix_check_duplicate_nat">False</Option>
<Option name="pix_check_overlapping_global_pools">True</Option>
<Option name="pix_check_overlapping_global_statics">True</Option>
<Option name="pix_check_overlapping_statics">True</Option>
<Option name="pix_check_rule_shading">False</Option>
<Option name="pix_connection_timewait">False</Option>
<Option name="pix_emb_limit">0</Option>
<Option name="pix_emblem_log_format">False</Option>
<Option name="pix_emulate_out_acl">True</Option>
<Option name="pix_epilog_script"></Option>
<Option name="pix_floodguard">False</Option>
<Option name="pix_fragguard">False</Option>
<Option name="pix_generate_out_acl">False</Option>
<Option name="pix_include_comments">True</Option>
<Option name="pix_ip_address">False</Option>
<Option name="pix_logging_buffered">False</Option>
<Option name="pix_logging_buffered_level">0</Option>
<Option name="pix_logging_console">False</Option>
<Option name="pix_logging_console_level">0</Option>
<Option name="pix_logging_timestamp">False</Option>
<Option name="pix_logging_trap_level">0</Option>
<Option name="pix_max_conns">0</Option>
<Option name="pix_nodnsalias_inbound">False</Option>
<Option name="pix_nodnsalias_outbound">False</Option>
<Option name="pix_optimize_default_nat">False</Option>
<Option name="pix_prolog_script"></Option>
<Option name="pix_regroup_commands">False</Option>
<Option name="pix_replace_natted_objects">True</Option>
<Option name="pix_resetinbound">False</Option>
<Option name="pix_resetoutside">False</Option>
<Option name="pix_route_dnat">False</Option>
<Option name="pix_set_host_name">False</Option>
<Option name="pix_ssh_timeout">0</Option>
<Option name="pix_syslog_device_id_opt"></Option>
<Option name="pix_syslog_device_id_val"></Option>
<Option name="pix_syslog_facility"></Option>
<Option name="pix_syslog_host"></Option>
<Option name="pix_syslog_queue_size">0</Option>
<Option name="pix_telnet_timeout">0</Option>
<Option name="pix_use_acl_remarks">False</Option>
<Option name="pix_use_manual_commit">False</Option>
<Option name="platform">iptables</Option>
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
<Option name="proxy_arp">False</Option>
<Option name="rpc_hh">0</Option>
<Option name="rpc_mm">10</Option>
<Option name="rpc_ss">0</Option>
<Option name="rsh_fixup">2 514 0 nil 0</Option>
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="script_env_path"></Option>
<Option name="short_script">False</Option>
<Option name="sip_fixup">2 5060 5060 nil 0</Option>
<Option name="sip_hh">0</Option>
<Option name="sip_media_hh">0</Option>
<Option name="sip_media_mm">0</Option>
<Option name="sip_media_ss">0</Option>
<Option name="sip_mm">30</Option>
<Option name="sip_ss">0</Option>
<Option name="sip_udp_fixup">2 5060 0 nil 0</Option>
<Option name="skinny_fixup">2 2000 2000 nil 0</Option>
<Option name="smtp_fixup">2 25 25 nil 0</Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
<Option name="sshArgs"></Option>
<Option name="ssh_timeout">5</Option>
<Option name="telnet_timeout">5</Option>
<Option name="tftp_fixup">2 69 0 nil 0</Option>
<Option name="uauth_abs">True</Option>
<Option name="uauth_hh">2</Option>
<Option name="uauth_inact">False</Option>
<Option name="uauth_mm">0</Option>
<Option name="uauth_ss">0</Option>
<Option name="udp_hh">0</Option>
<Option name="udp_mm">2</Option>
<Option name="udp_ss">0</Option>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_scp">False</Option>
<Option name="xlate_hh">3</Option>
<Option name="xlate_mm">0</Option>
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
</Library>