see #1944 ASA Policy - duplicate network object groups created for mixed service group with TCP dst and TCP src port range objects; FIXED

2026-03-19 01:37:17 +01:00 · 2011-01-17 13:20:38 -08:00 · 2011-01-17 13:20:38 -08:00 · b6b548f88f
commit b6b548f88f
parent bfce60d98d
39 changed files with 51 additions and 49 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,12 @@
 2011-01-17  vadim  <vadim@netcitadel.com>

+	* PolicyCompiler_pix.cpp (compile): fixed #1944 "ASA Policy -
+	duplicate network object groups created for mixed service group
+	with TCP dst and TCP src port range objects". Need to convert
+	address range objects to subnets early, before the rule is split
+	for any reason, to make sure object groups created later match
+	and are reused.
+
 	* NamedObjectsAndGroupsSupport.cpp (processNext): See #1943 "ASA
 	Policy - mixed service group with TCP destination port range and
 	standard TCP object generates invalid config". Protocol word "tcp"
--- a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
+++ b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
@ -121,30 +121,23 @@ BaseObjectGroup* CreateObjectGroups::findObjectGroup(RuleElement *re)
    list<FWObject*> relement;

    for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1) 
-    {
-        FWObject *o   = *i1;
-        FWObject *obj = FWReference::getObject(o);
-        relement.push_back(obj);
-    }
-
+        relement.push_back(FWReference::getObject(*i1));

    for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i)
    {
-        BaseObjectGroup *og=dynamic_cast<BaseObjectGroup*>(*i);
+        BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
        assert(og!=NULL);

        if (og->size()==0 || (og->size()!=re->size()) ) continue;

-        bool match=true;
+        bool match = true;
        for (FWObject::iterator i1=og->begin(); i1!=og->end(); ++i1) 
        {
-            FWObject *o   = *i1;
-            FWObject *obj = o;
-            if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
+            FWObject *obj = FWReference::getObject(*i1);

            if ( find(relement.begin(), relement.end(), obj)==relement.end() )
            {
-                match=false;
+                match = false;
                break;
            }
        }
--- a/src/cisco_lib/PolicyCompiler_pix.cpp
+++ b/src/cisco_lib/PolicyCompiler_pix.cpp
@ -550,6 +550,8 @@ void PolicyCompiler_pix::compile()
    add( new InterfacePolicyRules(
             "process interface policy rules and store interface ids"));

+    add( new addressRanges("process address ranges" ));
+
    if ( fwopt->getBool("pix_assume_fw_part_of_any"))
    {
 // add( new splitIfSrcAny( "split rule if src is any" ));
@ -603,7 +605,7 @@ void PolicyCompiler_pix::compile()

    add( new checkForUnnumbered( "check for unnumbered interfaces" ));

-    add( new addressRanges("process address ranges" ));
+    //add( new addressRanges("process address ranges" ));

    if (outbound_acl_supported )
    {
--- a/test/pix/cluster1-1_pix1.fw.orig
+++ b/test/pix/cluster1-1_pix1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:58:01 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:20 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/cluster1-1_pix2.fw.orig
+++ b/test/pix/cluster1-1_pix2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:58:02 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:20 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/cluster1_pix1.fw.orig
+++ b/test/pix/cluster1_pix1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:58:01 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:20 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/cluster1_pix2.fw.orig
+++ b/test/pix/cluster1_pix2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:58:01 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:20 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall.fw.orig
+++ b/test/pix/firewall.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:35 2011 PST by vadim
+!  Generated Mon Jan 17 13:16:54 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall1.fw.orig
+++ b/test/pix/firewall1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:36 2011 PST by vadim
+!  Generated Mon Jan 17 13:16:55 2011 PST by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
--- a/test/pix/firewall10.fw.orig
+++ b/test/pix/firewall10.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:37 2011 PST by vadim
+!  Generated Mon Jan 17 13:16:56 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall11.fw.orig
+++ b/test/pix/firewall11.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:37 2011 PST by vadim
+!  Generated Mon Jan 17 13:16:56 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall12.fw.orig
+++ b/test/pix/firewall12.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:38 2011 PST by vadim
+!  Generated Mon Jan 17 13:16:57 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall13.fw.orig
+++ b/test/pix/firewall13.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:39 2011 PST by vadim
+!  Generated Mon Jan 17 13:16:58 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall14.fw.orig
+++ b/test/pix/firewall14.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:40 2011 PST by vadim
+!  Generated Mon Jan 17 13:16:58 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall2.fw.orig
+++ b/test/pix/firewall2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:40 2011 PST by vadim
+!  Generated Mon Jan 17 13:16:59 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall20.fw.orig
+++ b/test/pix/firewall20.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:41 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:00 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall21-1.fw.orig
+++ b/test/pix/firewall21-1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:42 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:02 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall21.fw.orig
+++ b/test/pix/firewall21.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:42 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:01 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall22.fw.orig
+++ b/test/pix/firewall22.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:43 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:02 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall3.fw.orig
+++ b/test/pix/firewall3.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:44 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:03 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall33.fw.orig
+++ b/test/pix/firewall33.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:45 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:04 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall34.fw.orig
+++ b/test/pix/firewall34.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:46 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:05 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall4.fw.orig
+++ b/test/pix/firewall4.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:47 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:05 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall50.fw.orig
+++ b/test/pix/firewall50.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:47 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:06 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall6.fw.orig
+++ b/test/pix/firewall6.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:48 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:07 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall8.fw.orig
+++ b/test/pix/firewall8.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:49 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:08 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall80.fw.orig
+++ b/test/pix/firewall80.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:50 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:09 2011 PST by vadim
 !
 ! Compiled for pix 8.2
 ! Outbound ACLs: supported
--- a/test/pix/firewall81.fw.orig
+++ b/test/pix/firewall81.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:51 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:09 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall82.fw.orig
+++ b/test/pix/firewall82.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:51 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:10 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall83.fw.orig
+++ b/test/pix/firewall83.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:52 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:11 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall9.fw.orig
+++ b/test/pix/firewall9.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:53 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:11 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall90.fw.orig
+++ b/test/pix/firewall90.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:53 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:12 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall91.fw.orig
+++ b/test/pix/firewall91.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:54 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:13 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall92.fw.orig
+++ b/test/pix/firewall92.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:55 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:14 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall93.fw.orig
+++ b/test/pix/firewall93.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:55 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:14 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/fwsm1.fw.orig
+++ b/test/pix/fwsm1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:56 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:15 2011 PST by vadim
 !
 ! Compiled for fwsm 2.3
 ! Outbound ACLs: supported
--- a/test/pix/fwsm2.fw.orig
+++ b/test/pix/fwsm2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:57 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:16 2011 PST by vadim
 !
 ! Compiled for fwsm 4.x
 ! Outbound ACLs: supported
--- a/test/pix/pix515.fw.orig
+++ b/test/pix/pix515.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:59 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:17 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/real.fw.orig
+++ b/test/pix/real.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3436
 !
-!  Generated Mon Jan 17 12:57:59 2011 PST by vadim
+!  Generated Mon Jan 17 13:17:18 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported