diff --git a/doc/ChangeLog b/doc/ChangeLog index d2866bcb5..246cbe624 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,9 @@ 2011-01-13 vadim + * NATCompiler_asa8.cpp (compile): refs #1928 "Support for + object-group in OSrc". Implemented support for object-group + and named objects for Osrc and ODst in ASA 8.3 NAT rules. + * PolicyCompiler_cisco.cpp (removeRedundantAddresses): fixed #1917 "Duplicate objects are not detected". Compiler should detect duplicate objects that may be created in a rule element when user diff --git a/src/cisco_lib/NATCompiler_asa8.cpp b/src/cisco_lib/NATCompiler_asa8.cpp index 5be874e95..303adf6e9 100644 --- a/src/cisco_lib/NATCompiler_asa8.cpp +++ b/src/cisco_lib/NATCompiler_asa8.cpp @@ -326,12 +326,7 @@ void NATCompiler_asa8::compile() add( new checkForUnnumbered("check for unnumbered interfaces")); - add( new ConvertToAtomicForOriginal( - "convert to atomic for OSrc, ODst, OSrv")); - - // remove ConvertToAtomicForTSrc if we figure out a way to support multiple - // translated soruces per #1907 - // add( new ConvertToAtomicForTSrc("convert to atomic for TSrc")); + add( new ConvertToAtomicForOSrv("convert to atomic for OSrv")); add( new ConvertToAtomicForTDst("convert to atomic for TDst")); add( new ConvertToAtomicForTSrv("convert to atomic for TSrv")); @@ -345,7 +340,14 @@ void NATCompiler_asa8::compile() add( new VerifyValidityOfDNSOption( "Check validity of 'translate dns' option")); + add( new CreateObjectGroupsForOSrc("create object groups for OSrc")); + add( new CreateObjectGroupsForODst("create object groups for ODst")); + add( new CreateObjectGroupsForOSrv("create object groups for OSrv")); + + // need special rule processor to create object groups in TSrc + // because of a special tratment that an Interface object gets in TSrc add( new CreateObjectGroupsForTSrc("create object groups for TSrc")); + add( new VerifyValidityOfTSrc("verify objects in TSrc")); /* REMOVE_OLD_OPTIMIZATIONS @@ -368,10 +370,8 @@ void NATCompiler_asa8::compile() */ add( new PrintClearCommands("Clear ACLs" )); - add( new PrintObjectsForNat("generate objects for nat commands")); - add( new PrintObjectsForTSrc( - "generate object groups and objects for TSrc")); - add( new printObjectGroups("generate code for object groups")); + add( new printNamedObjects("definitions of named objects")); + add( new printObjectGroups("definitions of object groups")); add( new PrintRule("generate PIX code" )); add( new storeProcessedRules ("store processed rules" )); add( new simplePrintProgress ()); diff --git a/src/cisco_lib/NATCompiler_asa8.h b/src/cisco_lib/NATCompiler_asa8.h index b22dae241..1933414c1 100644 --- a/src/cisco_lib/NATCompiler_asa8.h +++ b/src/cisco_lib/NATCompiler_asa8.h @@ -40,9 +40,6 @@ namespace fwcompiler { { public: - void addNamedObject(const libfwbuilder::FWObject *obj); - NamedObject* getNamedObject(const libfwbuilder::FWObject *obj); - QString sanitizeObjectName(const QString &name); std::string createNetworkObjectCommand(libfwbuilder::Address *addr); std::string createServiceObjectCommand(libfwbuilder::Service *addr); @@ -56,21 +53,12 @@ namespace fwcompiler { */ DECLARE_NAT_RULE_PROCESSOR(VerifyRules); - DECLARE_NAT_RULE_PROCESSOR(PrintObjectsForNat); - /* * Check that TSrc has right combination of objects after * object group has been created. Call after CreateObjectGroupsForTSrc */ DECLARE_NAT_RULE_PROCESSOR(VerifyValidityOfTSrc); - /** - * TSrc may contain multiple objects, so we should group them - * in order to put all addresses, address ranges and subnets - * into an object-group and keep interfaces separate. - */ - DECLARE_NAT_RULE_PROCESSOR(PrintObjectsForTSrc); - /* * Check if "translate dns" option can be used with the rule */ diff --git a/src/cisco_lib/NATCompiler_asa8_writers.cpp b/src/cisco_lib/NATCompiler_asa8_writers.cpp index e1a6c2438..423c0e3b4 100644 --- a/src/cisco_lib/NATCompiler_asa8_writers.cpp +++ b/src/cisco_lib/NATCompiler_asa8_writers.cpp @@ -50,98 +50,6 @@ using namespace libfwbuilder; using namespace fwcompiler; using namespace std; -void NATCompiler_asa8::addNamedObject(const FWObject *obj) -{ - if (BaseObjectGroup::constcast(obj)!=NULL) - { - for (FWObject::const_iterator i=obj->begin(); i!=obj->end(); ++i) - { - addNamedObject(FWReference::getObject(*i)); - } - } - if (CreateObjectGroups::named_objects[obj->getId()] == NULL) - { - NamedObject *asa8obj = new NamedObject(obj); - output << asa8obj->getCommand().toStdString(); - CreateObjectGroups::named_objects[obj->getId()] = asa8obj; - } -} - -NamedObject* NATCompiler_asa8::getNamedObject(const FWObject *obj) -{ - return CreateObjectGroups::named_objects[obj->getId()]; -} - -bool NATCompiler_asa8::PrintObjectsForNat::processNext() -{ - NATCompiler_asa8 *pix_comp = dynamic_cast(compiler); - - slurp(); - if (tmp_queue.size()==0) return false; - - compiler->output << endl; - - for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) - { - NATRule *rule = NATRule::cast( *k ); - - // OSrc, ODst, OSrv and TSrc may be either a single - // address/service object or a group. We print group - // definitions in rule processor printObjectGroups - - Address *osrc = compiler->getFirstOSrc(rule); - if (osrc) pix_comp->addNamedObject(osrc); - - Address *odst = compiler->getFirstODst(rule); - if (odst) pix_comp->addNamedObject(odst); - - Service *osrv = compiler->getFirstOSrv(rule); - if (osrv) pix_comp->addNamedObject(osrv); - - // Address *tsrc = compiler->getFirstTSrc(rule); - // if (tsrc) pix_comp->addNamedObject(tsrc); - - Address *tdst = compiler->getFirstTDst(rule); assert(tdst); - pix_comp->addNamedObject(tdst); - - Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv); - pix_comp->addNamedObject(tsrv); - - } - - return true; -} - -bool NATCompiler_asa8::PrintObjectsForTSrc::processNext() -{ - NATCompiler_asa8 *pix_comp = dynamic_cast(compiler); - - slurp(); - if (tmp_queue.size()==0) return false; - - compiler->output << endl; - - /* - * Print definitions of all objects that are not interface - */ - for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) - { - NATRule *rule = NATRule::cast( *k ); - - RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re); - if (tsrc_re->isAny()) continue; - - for (FWObject::iterator it=tsrc_re->begin(); it!=tsrc_re->end(); ++it) - { - FWObject *obj = FWReference::getObject(*it); - if (Interface::isA(obj)) continue; - pix_comp->addNamedObject(obj); - } - } - - return true; -} - bool NATCompiler_asa8::PrintClearCommands::processNext() { @@ -194,7 +102,10 @@ void NATCompiler_asa8::PrintRule::printDNAT(libfwbuilder::NATRule *rule) QString NATCompiler_asa8::PrintRule::printSingleObject(FWObject *obj) { NATCompiler_asa8 *pix_comp = dynamic_cast(compiler); - NamedObject* asa8_object = pix_comp->getNamedObject(obj); + + if (Address::cast(obj) && Address::cast(obj)->isAny()) return "any"; + + NamedObject* asa8_object = NamedObjectManager::getNamedObject(obj); if (asa8_object) return asa8_object->getCommandWord(); for (FWObject::iterator i=CreateObjectGroups::object_groups->begin(); diff --git a/src/cisco_lib/NATCompiler_pix.h b/src/cisco_lib/NATCompiler_pix.h index c579bb4c1..c116fc9bf 100644 --- a/src/cisco_lib/NATCompiler_pix.h +++ b/src/cisco_lib/NATCompiler_pix.h @@ -107,7 +107,6 @@ namespace fwcompiler { libfwbuilder::RuleSet *final_ruleset; - std::string debugPrintRule(libfwbuilder::Rule *r); void _expand_addr_recursive_pix(libfwbuilder::Rule *rule, diff --git a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp index 82a079bda..29ef70e0c 100644 --- a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp +++ b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp @@ -62,6 +62,33 @@ Group* CreateObjectGroups::object_groups = NULL; map CreateObjectGroups::named_objects; +string NamedObjectManager::addNamedObject(const FWObject *obj) +{ + string res; + if (BaseObjectGroup::constcast(obj)!=NULL) + { + for (FWObject::const_iterator i=obj->begin(); i!=obj->end(); ++i) + { + res += addNamedObject(FWReference::getObject(*i)); + } + return res; + } + if (CreateObjectGroups::named_objects[obj->getId()] == NULL) + { + NamedObject *asa8obj = new NamedObject(obj); + res = asa8obj->getCommand().toStdString(); + CreateObjectGroups::named_objects[obj->getId()] = asa8obj; + } + return res; +} + +NamedObject* NamedObjectManager::getNamedObject(const FWObject *obj) +{ + return CreateObjectGroups::named_objects[obj->getId()]; +} + + + void CreateObjectGroups::init(FWObjectDatabase *db) { object_groups = new Group(); @@ -201,8 +228,7 @@ void CreateObjectGroupsForTSrc::packObjects(RuleElement *re, BaseObjectGroup *obj_group) { if (libfwbuilder::XMLTools::version_compare( - compiler->fw->getStr("version"), "8.3")>=0 && - re_type == RuleElementTSrc::TYPENAME) + compiler->fw->getStr("version"), "8.3")>=0) { // put all objects inside of the group, except for the interface // if it belongs to the firewall @@ -257,3 +283,49 @@ bool printObjectGroups::processNext() return true; } +void printNamedObjects::printObjectsForRE(RuleElement *re) +{ + if (re->isAny()) return; + + for (FWObject::iterator it=re->begin(); it!=re->end(); ++it) + { + FWObject *obj = FWReference::getObject(*it); + if (Interface::isA(obj)) continue; + compiler->output << NamedObjectManager::addNamedObject(obj); + } +} + +bool printNamedObjects::processNext() +{ + slurp(); + if (tmp_queue.size()==0) return false; + + compiler->output << endl; + + for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) + { + NATRule *rule = NATRule::cast( *k ); + + RuleElementOSrc *osrc_re = rule->getOSrc(); assert(osrc_re); + printObjectsForRE(osrc_re); + + RuleElementODst *odst_re = rule->getODst(); assert(odst_re); + printObjectsForRE(odst_re); + + RuleElementOSrv *osrv_re = rule->getOSrv(); assert(osrv_re); + printObjectsForRE(osrv_re); + + RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re); + printObjectsForRE(tsrc_re); + + RuleElementTDst *tdst_re = rule->getTDst(); assert(tdst_re); + printObjectsForRE(tdst_re); + + RuleElementTSrv *tsrv_re = rule->getTSrv(); assert(tsrv_re); + printObjectsForRE(tsrv_re); + + } + + return true; +} + diff --git a/src/cisco_lib/NamedObjectsAndGroupsSupport.h b/src/cisco_lib/NamedObjectsAndGroupsSupport.h index 8f850c13f..4ad8a410e 100644 --- a/src/cisco_lib/NamedObjectsAndGroupsSupport.h +++ b/src/cisco_lib/NamedObjectsAndGroupsSupport.h @@ -39,6 +39,13 @@ namespace fwcompiler { + class NamedObjectManager + { +public: + static std::string addNamedObject(const libfwbuilder::FWObject *obj); + static NamedObject* getNamedObject(const libfwbuilder::FWObject *obj); + }; + class CreateObjectGroups : public BasicRuleProcessor { static void clearNamedObjectsRegistry(); @@ -92,6 +99,31 @@ public: CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {} }; + + // ################################################################ + // OSrc, ODst, OSrv, TSrc + + class CreateObjectGroupsForOSrc : public CreateObjectGroups + { +public: + CreateObjectGroupsForOSrc(const std::string &n) : + CreateObjectGroups(n,"osrc",libfwbuilder::RuleElementOSrc::TYPENAME) {} + }; + + class CreateObjectGroupsForODst : public CreateObjectGroups + { +public: + CreateObjectGroupsForODst(const std::string &n) : + CreateObjectGroups(n,"odst",libfwbuilder::RuleElementODst::TYPENAME) {} + }; + + class CreateObjectGroupsForOSrv : public CreateObjectGroups + { +public: + CreateObjectGroupsForOSrv(const std::string &n) : + CreateObjectGroups(n,"osrv",libfwbuilder::RuleElementOSrv::TYPENAME) {} + }; + class CreateObjectGroupsForTSrc : public CreateObjectGroups { protected: @@ -104,6 +136,9 @@ public: CreateObjectGroups(n,"tsrc",libfwbuilder::RuleElementTSrc::TYPENAME) {} }; + + + /** * this processor accumulates all rules fed to it by previous * processors, then prints all object groups and feeds all @@ -118,6 +153,17 @@ public: virtual bool processNext(); }; + class printNamedObjects : public BasicRuleProcessor + { + void printObjectsForRE(libfwbuilder::RuleElement *re); + +public: + printNamedObjects(const std::string &n) : BasicRuleProcessor(n) {} + virtual bool processNext(); + }; + + + } #endif diff --git a/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp b/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp index 4a17f0e47..b2fe6286c 100644 --- a/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp +++ b/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp @@ -546,6 +546,29 @@ bool NATCompiler::ConvertToAtomicForAddresses::processNext() return true; } +bool NATCompiler::ConvertToAtomicForOSrv::processNext() +{ + NATRule *rule=getNext(); if (rule==NULL) return false; + + RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv); + + for (FWObject::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1) + { + NATRule *r = compiler->dbcopy->createNATRule(); + r->duplicate(rule); + compiler->temp_ruleset->add(r); + + FWObject *s; + + s=r->getOSrv(); assert(s); + s->clearChildren(); + s->addCopyOf( *i1 ); + + tmp_queue.push_back(r); + } + + return true; +} bool NATCompiler::ConvertToAtomicForTSrc::processNext() { diff --git a/src/libfwbuilder/src/fwcompiler/NATCompiler.h b/src/libfwbuilder/src/fwcompiler/NATCompiler.h index 61df531ea..622ba95f0 100644 --- a/src/libfwbuilder/src/fwcompiler/NATCompiler.h +++ b/src/libfwbuilder/src/fwcompiler/NATCompiler.h @@ -150,6 +150,11 @@ namespace fwcompiler { */ DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForOriginal); + /** + * this processor converts to atomic rules only for OSrcv + */ + DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForOSrv); + /** * this processor converts to atomic rules only for TSrc */ diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 8d5c75f8e..edf54f34f 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:32 2011 PST by vadim +! Generated Thu Jan 13 19:02:58 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index 33e4aa69b..7e51c8c2f 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:32 2011 PST by vadim +! Generated Thu Jan 13 19:02:58 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index fea72ce21..41d7a62c3 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:32 2011 PST by vadim +! Generated Thu Jan 13 19:02:57 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 051b3c926..fa2bef7a8 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:32 2011 PST by vadim +! Generated Thu Jan 13 19:02:57 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index d8e10015d..fdcd7eac8 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:07 2011 PST by vadim +! Generated Thu Jan 13 19:02:33 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index e90454bc1..6a34e8a96 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:08 2011 PST by vadim +! Generated Thu Jan 13 19:02:34 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index abee1e4ef..4722d4733 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:09 2011 PST by vadim +! Generated Thu Jan 13 19:02:34 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index ab9a448ae..7349c0307 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:10 2011 PST by vadim +! Generated Thu Jan 13 19:02:35 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 6962b871d..94410846c 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:10 2011 PST by vadim +! Generated Thu Jan 13 19:02:36 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 2fbab3152..542d44fc2 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:11 2011 PST by vadim +! Generated Thu Jan 13 19:02:36 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 7887b09b2..c2804e0cc 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:12 2011 PST by vadim +! Generated Thu Jan 13 19:02:37 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index ce5d89176..eb2eda576 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:12 2011 PST by vadim +! Generated Thu Jan 13 19:02:38 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index 3918fa37d..70639ce54 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:13 2011 PST by vadim +! Generated Thu Jan 13 19:02:39 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 956bc456c..f6b0f2679 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:14 2011 PST by vadim +! Generated Thu Jan 13 19:02:40 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index c9a5d2bbc..a90fe1cc4 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:14 2011 PST by vadim +! Generated Thu Jan 13 19:02:39 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index 150bf5cc7..4ce9446ff 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:15 2011 PST by vadim +! Generated Thu Jan 13 19:02:41 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index 3216144dc..a2d05b4b0 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:16 2011 PST by vadim +! Generated Thu Jan 13 19:02:41 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index cc42d49fe..f1bf1ca2e 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:17 2011 PST by vadim +! Generated Thu Jan 13 19:02:42 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index cad45bd1e..39a90b1dc 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:18 2011 PST by vadim +! Generated Thu Jan 13 19:02:43 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 7f442c18f..e651b970c 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:18 2011 PST by vadim +! Generated Thu Jan 13 19:02:44 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index af658e59c..2f95029d0 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:19 2011 PST by vadim +! Generated Thu Jan 13 19:02:45 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index fdb665861..480c9a214 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:20 2011 PST by vadim +! Generated Thu Jan 13 19:02:45 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index dbb63cd77..fb6c8916f 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:21 2011 PST by vadim +! Generated Thu Jan 13 19:02:46 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 17b808f42..74623787f 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:21 2011 PST by vadim +! Generated Thu Jan 13 19:02:47 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index 936883af3..ef722ca72 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:22 2011 PST by vadim +! Generated Thu Jan 13 19:02:48 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -142,7 +142,6 @@ quit object network hostA:eth0 host 192.168.1.10 quit - ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0 service http http diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 927b1412b..f8c25e754 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:23 2011 PST by vadim +! Generated Thu Jan 13 19:02:48 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -142,7 +142,6 @@ quit object network hostA:eth0 host 192.168.1.10 quit - ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0 service http http diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 6fb7ac4e4..081b9f763 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:23 2011 PST by vadim +! Generated Thu Jan 13 19:02:49 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -137,7 +137,6 @@ quit object service http service tcp destination eq 80 quit - ! ! Rule 0 (NAT) nat (inside,outside) source static hostA:eth0 interface service http http diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index dc5a08660..e83c474bb 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:24 2011 PST by vadim +! Generated Thu Jan 13 19:02:50 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index 15d9c1445..5d8eef94e 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:25 2011 PST by vadim +! Generated Thu Jan 13 19:02:51 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -130,6 +130,9 @@ quit object service smtp service tcp destination eq 25 quit +object network firewall90:FastEthernet1:ip-1 + host 22.22.22.23 +quit object network internal_subnet_1 subnet 192.168.1.0 255.255.255.192 quit @@ -145,19 +148,6 @@ quit object network outside_range range 22.22.22.21 22.22.22.25 quit -object service squid - service tcp destination eq 3128 -quit -object service smtps - service tcp destination eq 465 -quit -object network spamhost2 - host 61.150.47.113 -quit - -object network firewall90:FastEthernet1:ip-1 - host 22.22.22.23 -quit object network firewall90:FastEthernet1:ip host 22.22.22.22 quit @@ -170,6 +160,28 @@ quit object network outside_range-1 range 22.22.22.30 22.22.22.40 quit +object service squid + service tcp destination eq 3128 +quit +object network spamhost2 + host 61.150.47.113 +quit +object service smtps + service tcp destination eq 465 +quit + +object-group network outside.id178211X29963.osrc.net.0 + network-object object internal_subnet_1 + network-object object internal_subnet_2 + exit + + +object-group network outside.id21353X4994.osrc.net.0 + network-object object internal_subnet_1 + network-object object Internal_net + network-object object internal_subnet_2 + exit + object-group network outside.id130599X29063.tsrc.net.0 network-object object outside_range @@ -205,6 +217,12 @@ object-group network outside.id21177X3720.tsrc.net.0 exit +object-group network outside.id77971X5929.odst.net.0 + network-object object spamhost1 + network-object object spamhost2 + exit + + object-group network outside.id77971X5929.tsrc.net.0 network-object object outside_range-1 network-object object external_gw2 @@ -216,42 +234,6 @@ object-group network outside.id77971X5929.tsrc.net.1 network-object object external_gw2 exit - -object-group network outside.id77971X5929.tsrc.net.2 - network-object object outside_range-1 - network-object object external_gw2 - exit - - -object-group network outside.id77971X5929.tsrc.net.3 - network-object object outside_range-1 - network-object object external_gw2 - exit - - -object-group network outside.id77971X5929.tsrc.net.4 - network-object object outside_range-1 - network-object object external_gw2 - exit - - -object-group network outside.id77971X5929.tsrc.net.5 - network-object object outside_range-1 - network-object object external_gw2 - exit - - -object-group network outside.id77971X5929.tsrc.net.6 - network-object object outside_range-1 - network-object object external_gw2 - exit - - -object-group network outside.id77971X5929.tsrc.net.7 - network-object object outside_range-1 - network-object object external_gw2 - exit - ! ! Rule 0 (NAT) nat (inside,outside) source dynamic Internal_net interface service http http @@ -263,15 +245,12 @@ nat (inside,outside) source static hostA:eth0 firewall90:FastEthernet1:ip-1 dest nat (inside,outside) source static hostA:eth0 interface service smtp smtp ! ! Rule 3 (NAT) -nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 service smtp smtp -nat (inside,outside) source dynamic internal_subnet_2 firewall90:FastEthernet1:ip-1 service smtp smtp +nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp ! ! Rule 4 (NAT) ! for #1928 ! note that group in OSrc includes another group -nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 service smtp smtp -nat (inside,outside) source dynamic Internal_net firewall90:FastEthernet1:ip-1 service smtp smtp -nat (inside,outside) source dynamic internal_subnet_2 firewall90:FastEthernet1:ip-1 service smtp smtp +nat (inside,outside) source dynamic outside.id21353X4994.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp ! ! Rule 5 (NAT) nat (inside,outside) source dynamic test_range_1 firewall90:FastEthernet1:ip-1 destination static spamhost1 spamhost1 service smtp smtp @@ -357,14 +336,8 @@ nat (outside,inside) source static any any destination static interface hostA:et ! ! Rule 23 (NAT) ! multiple objects in OSrc, ODst, OSrv and TSrc in various combinations -nat (inside,outside) source dynamic internal_subnet_1 outside.id77971X5929.tsrc.net.0 interface destination static spamhost1 spamhost1 service smtp smtp -nat (inside,outside) source dynamic internal_subnet_1 outside.id77971X5929.tsrc.net.1 interface destination static spamhost1 spamhost1 service smtps smtps -nat (inside,outside) source dynamic internal_subnet_1 outside.id77971X5929.tsrc.net.2 interface destination static spamhost2 spamhost2 service smtp smtp -nat (inside,outside) source dynamic internal_subnet_1 outside.id77971X5929.tsrc.net.3 interface destination static spamhost2 spamhost2 service smtps smtps -nat (inside,outside) source dynamic internal_subnet_2 outside.id77971X5929.tsrc.net.4 interface destination static spamhost1 spamhost1 service smtp smtp -nat (inside,outside) source dynamic internal_subnet_2 outside.id77971X5929.tsrc.net.5 interface destination static spamhost1 spamhost1 service smtps smtps -nat (inside,outside) source dynamic internal_subnet_2 outside.id77971X5929.tsrc.net.6 interface destination static spamhost2 spamhost2 service smtp smtp -nat (inside,outside) source dynamic internal_subnet_2 outside.id77971X5929.tsrc.net.7 interface destination static spamhost2 spamhost2 service smtps smtps +nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.0 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtp smtp +nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.1 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtps smtps diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 995918772..2bc2586a6 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:25 2011 PST by vadim +! Generated Thu Jan 13 19:02:51 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -121,7 +121,6 @@ quit object service https service tcp destination eq 443 quit - ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0 diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index 5499e4ae5..818a6683d 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:26 2011 PST by vadim +! Generated Thu Jan 13 19:02:52 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -130,6 +130,11 @@ object network test_range_1 range 192.168.1.11 192.168.1.15 quit +object-group network outside.id20655X6113.osrc.net.0 + network-object object internal_subnet_1 + network-object object internal_subnet_2 + exit + ! ! Rule 0 (NAT) nat (inside,outside) source static Internal_net Internal_net service http http @@ -141,8 +146,7 @@ nat (inside,outside) source static hostA:eth0 hostA:eth0 service smtp smtp nat (inside,outside) source static hostA:eth0 hostA:eth0 destination static spamhost1 spamhost1 service smtp smtp ! ! Rule 3 (NAT) -nat (inside,outside) source static internal_subnet_1 internal_subnet_1 service smtp smtp -nat (inside,outside) source static internal_subnet_2 internal_subnet_2 service smtp smtp +nat (inside,outside) source static outside.id20655X6113.osrc.net.0 outside.id20655X6113.osrc.net.0 service smtp smtp ! ! Rule 4 (NAT) nat (inside,outside) source static test_range_1 test_range_1 destination static spamhost1 spamhost1 service smtp smtp diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index bcba5975e..f94b5651d 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:27 2011 PST by vadim +! Generated Thu Jan 13 19:02:53 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index 91ebd3064..f378fd505 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:28 2011 PST by vadim +! Generated Thu Jan 13 19:02:54 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index 39678cbd4..aa8f85544 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:29 2011 PST by vadim +! Generated Thu Jan 13 19:02:55 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index a53730ec3..952f5ba5c 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3431 ! -! Generated Thu Jan 13 18:02:30 2011 PST by vadim +! Generated Thu Jan 13 19:02:55 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported