onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-25 12:47:44 +01:00
Code Issues Releases Wiki Activity

see #2223 support for import of PIX/ASA named objects

Browse Source
This commit is contained in:
Vadim Kurland 2011-03-14 19:43:18 -07:00
parent bc2a25a901
commit b7d1170d70
16 changed files with 2177 additions and 896 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/ChangeLog
View File

@ -1,3 +1,9 @@
2011-03-14 vadim <vadim@netcitadel.com>
* pix.g (named_object_network): see #2223 Implemented import of
named objects for Cisco PIX and ASA ("object network name" and
"object service name")
2011-03-12 vadim <vadim@netcitadel.com>
* Compiler.cpp (expandGroupsInRuleElement): sorting objects in the

32
src/libgui/IOSImporter.cpp
View File

@ -6,8 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -127,8 +125,9 @@ FWObject* IOSImporter::createAddress(const std::string &addr,
return Importer::createAddress(addr, correct_nm);
} catch (FWException &ex)
{
markCurrentRuleBad(
std::string("Error converting netmask '") + netmask + "' (address " + addr + ")");
reportError(
std::string("Error converting netmask '") +
netmask + "' (address " + addr + ")");
return Importer::createAddress(addr, InetAddr::getAllOnes().toString());
}
@ -151,7 +150,7 @@ FWObject* IOSImporter::createICMPService()
icmp_code = s2.str();
} else
{
markCurrentRuleBad(
reportError(
std::string("Import of icmp protocol '") + icmp_spec + "' failed");
icmp_code = "-1";
icmp_type = "-1";
@ -181,31 +180,10 @@ int IOSImporter::convertPort(const std::string &port_str,
int port = GetServByName::getPortByName(ps, proto.c_str());
if (port == -1)
{
markCurrentRuleBad(std::string("Port spec '") + port_str + "' unknown ");
reportError(std::string("Port spec '") + port_str + "' unknown ");
port = 0;
}
return port;
/*
int port = 0;
std::string ps = strip(port_str);
if (port_map.count(ps)>0) port = port_map[ps];
else
{
if (ps=="") return 0;
std::istringstream str1(ps);
str1.exceptions(std::ios::failbit);
try
{
str1 >> port;
} catch (const std::exception &ex) {
// could not convert port_spec to an integer
markCurrentRuleBad(std::string("Port spec '") + port_str +
"' unknown. Error " + ex.what());
}
}
return port;
*/
}
std::pair<int,int> IOSImporter::convertPortSpec(const std::string &port_op,

46
src/libgui/IPTImporter.cpp
View File

@ -6,8 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -38,13 +36,6 @@
#include <algorithm>
#include <map>
// #ifndef _WIN32
// # include <netdb.h>
// # include <netinet/in.h>
// #else
// # include <winsock2.h>
// #endif
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Network.h"
@ -232,12 +223,6 @@ void IPTImporter::pushTmpPortSpecToBothPortList()
}
FWObject* IPTImporter::createAddress(const std::string &addr,
const std::string &netmask)
{
return Importer::createAddress(addr, netmask);
}
FWObject* IPTImporter::createICMPService()
{
std::string icmpspec = strip(icmp_spec);
@ -255,7 +240,7 @@ FWObject* IPTImporter::createICMPService()
icmp_code = s2.str();
} else
{
markCurrentRuleBad(
reportError(
std::string("Import of icmp protocol '") + icmp_spec + "' failed");
icmp_code = "-1";
icmp_type = "-1";
@ -307,32 +292,10 @@ int IPTImporter::convertPort(const std::string &port_spec,
int port = GetServByName::getPortByName(ps, proto);
if (port == -1)
{
markCurrentRuleBad(std::string("Port spec '") + port_spec + "' unknown ");
reportError(std::string("Port spec '") + port_spec + "' unknown ");
port = 0;
}
return port;
/*
struct servent *se = getservbyname(ps.c_str(), proto);
if (se!=NULL)
{
port = ntohs(se->s_port);
//free(se);
return port;
}
std::istringstream str1(ps);
str1.exceptions(std::ios::failbit);
try
{
str1 >> port;
} catch (const std::exception &ex) {
// could not convert port_spec to an integer
markCurrentRuleBad(std::string("Port spec '") + port_spec +
"' unknown. Error " + ex.what());
}
return port;
*/
}
FWObject* IPTImporter::createTCPUDPService(str_tuple &src_range,
@ -550,7 +513,7 @@ void IPTImporter::processModuleMatches()
"protocols with two or more module matches, such as \n"
"module 'mark', 'recent' or 'length'. Use additional \n"
"branches to implement this complex match.");
markCurrentRuleBad(err.toUtf8().constData());
reportError(err.toUtf8().constData());
break;
}
@ -874,8 +837,7 @@ void IPTImporter::pushPolicyRule()
ropt->setStr("log_level", levels[llevel]);
else
{
markCurrentRuleBad(
std::string("Unrecognized log level '") + slevel);
reportError(std::string("Unrecognized log level '") + slevel);
}
} catch (const std::exception &ex) {

4
src/libgui/IPTImporter.h
View File

@ -6,8 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -56,8 +54,6 @@ class IPTImporter : public Importer
libfwbuilder::FWObject* createTCPUDPService(const std::string &proto);
virtual libfwbuilder::FWObject* createAddress(const std::string &a,
const std::string &nm);
virtual libfwbuilder::FWObject* createIPService();
virtual libfwbuilder::FWObject* createICMPService();
virtual libfwbuilder::FWObject* createTCPService();

161
src/libgui/Importer.cpp
View File

@ -6,8 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -197,6 +195,8 @@ void Importer::clear()
tmp_nm = "";
tmp_port_op = "";
tmp_port_spec = "";
tmp_range_1 = "";
tmp_range_2 = "";
logging = false;
established = false;
@ -211,8 +211,9 @@ void Importer::clear()
if (!tcp_flags_mask.empty()) tcp_flags_mask.clear();
if (!tcp_flags_comp.empty()) tcp_flags_comp.clear();
if (!tmp_tcp_flags_list.empty()) tmp_tcp_flags_list.clear();
}
named_object_comment = "";
}
Firewall* Importer::getFirewallObject()
{
@ -349,7 +350,9 @@ void Importer::setInterfaceParametes(const std::string &phys_intf_or_label,
const std::string &label,
const std::string &sec_level)
{
*logger << "Interface parameters: " + phys_intf_or_label + " " + label + " " + sec_level + "\n";
*logger << "Interface parameters: " + phys_intf_or_label +
" " + label + " " + sec_level + "\n";
if (all_interfaces.count(phys_intf_or_label))
{
// since first arg. is physical interface name, this must be pix6
@ -496,7 +499,6 @@ void Importer::setDefaultAction(const std::string &iptables_action_name)
*logger << "Default action: " + default_action_str + "\n";
}
void Importer::newPolicyRule()
{
FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
@ -537,13 +539,6 @@ void Importer::pushRule()
current_ruleset->ruleset->add(current_rule);
current_rule->setComment(addStandardRuleComment(rule_comment));
// *logger << "Rule: " << action << " "
// << protocol << " "
// << src_a << "/" << src_nm << " ";
// if (dst_a!="")
// *logger << dst_a << "/" << dst_nm << " ";
// *logger << "\n";
current_rule = NULL;
rule_comment = "";
@ -671,14 +666,16 @@ FWObject* Importer::getCustomService(const std::string &platform,
s->setCodeForPlatform(platform, code);
s->setComment(cstr.str());
all_objects[sstr.str()] = s;
ostringstream str;
str << "Custom Service object: " << nstr.str()
<< ": "
<< platform
<< ": "
<< code
<< "\n";
*logger << str.str();
// ostringstream str;
// str << "Custom Service object: " << nstr.str()
// << ": "
// << platform
// << ": "
// << code
// << "\n";
// *logger << str.str();
return s;
}
@ -707,7 +704,7 @@ FWObject* Importer::getIPService(int proto)
s->setComment(cstr.str());
all_objects[sstr.str()] = s;
*logger << "IP Service object: " + nstr.str() + "\n";
// *logger << "IP Service object: " + nstr.str() + "\n";
return s;
}
@ -730,7 +727,8 @@ FWObject* Importer::getICMPService(int type, int code)
s->setInt("code", code);
s->setComment(cstr.str());
all_objects[sstr.str()] = s;
*logger << "ICMP Service object: " + nstr.str() + "\n";
// *logger << "ICMP Service object: " + nstr.str() + "\n";
return s;
}
@ -827,7 +825,9 @@ FWObject* Importer::getTCPService(int srs, int sre,
s->setEstablished(established);
s->setComment(cstr.str());
all_objects[sstr.str()] = s;
*logger << "TCP Service object: " + nstr.str() + "\n";
// *logger << "TCP Service object: " + nstr.str() + "\n";
return s;
}
@ -855,7 +855,9 @@ FWObject* Importer::getUDPService(int srs, int sre, int drs, int dre)
s->setComment(cstr.str());
all_objects[sstr.str()] = s;
*logger << "UDP Service object: " + nstr.str() + "\n";
// *logger << "UDP Service object: " + nstr.str() + "\n";
return s;
}
@ -877,7 +879,9 @@ FWObject* Importer::getTagService(const std::string &tagcode)
s->setCode(tagcode);
s->setComment(cstr.str());
all_objects[sstr.str()] = s;
*logger << "Tag Service object: " + nstr.str() + "\n";
// *logger << "Tag Service object: " + nstr.str() + "\n";
return s;
}
@ -898,7 +902,7 @@ FWObject* Importer::createICMPService()
{
// could not convert
type = -1;
markCurrentRuleBad(std::string("ICMP type '") + icmp_type + "' unknown");
reportError(std::string("ICMP type '") + icmp_type + "' unknown");
}
}
@ -912,7 +916,7 @@ FWObject* Importer::createICMPService()
{
// could not convert
code = -1;
markCurrentRuleBad(std::string("ICMP code '") + icmp_code + "' unknown");
reportError(std::string("ICMP code '") + icmp_code + "' unknown");
}
}
@ -932,7 +936,7 @@ FWObject* Importer::createIPService()
{
// could not convert protocol number
proto_num = 0;
markCurrentRuleBad(std::string("Protocol '") + protocol + "' unknown");
reportError(std::string("Protocol '") + protocol + "' unknown");
}
return getIPService(proto_num);
}
@ -1032,7 +1036,7 @@ FWObject* Importer::createAddress(const std::string &addr,
" " + addr + "/" + netmask;
a->setComment(comment);
all_objects[sig] = a;
*logger << "Address object: " + name + "\n";
// *logger << "Address object: " + name + "\n";
return a;
} catch(FWException &ex)
{
@ -1047,7 +1051,7 @@ FWObject* Importer::createAddress(const std::string &addr,
" " + addr;
da->setComment(comment);
all_objects[sig] = da;
*logger << "DNSName object: " + name + "\n";
// *logger << "DNSName object: " + name + "\n";
return da;
}
@ -1061,8 +1065,7 @@ FWObject* Importer::createAddress(const std::string &addr,
net->setAddress( InetAddr(addr) );
} catch (FWException &ex)
{
markCurrentRuleBad(
std::string("Error converting address '") + addr + "'");
reportError(std::string("Error converting address '") + addr + "'");
}
try
@ -1073,8 +1076,7 @@ FWObject* Importer::createAddress(const std::string &addr,
if (netmask.find('.')!=std::string::npos)
{
// netmask has '.' in it but conversion failed.
markCurrentRuleBad(
std::string("Error converting netmask '") + netmask + "'");
reportError(std::string("Error converting netmask '") + netmask + "'");
} else
{
// no dot in netmask, perhaps it is specified by its length?
@ -1090,7 +1092,7 @@ FWObject* Importer::createAddress(const std::string &addr,
} catch (std::exception& e)
{
// could not convert netmask as simple integer
markCurrentRuleBad(
reportError(
std::string("Error converting netmask '") + netmask + "'");
}
}
@ -1101,7 +1103,7 @@ FWObject* Importer::createAddress(const std::string &addr,
net->setComment(comment);
all_objects[sig] = net;
*logger << "Network object: " + name + "\n";
// *logger << "Network object: " + name + "\n";
return net;
}
return NULL;
@ -1124,8 +1126,7 @@ FWObject* Importer::createAddressRange(const std::string &addr1,
ar->setRangeStart( InetAddr(addr1) );
} catch (FWException &ex)
{
markCurrentRuleBad(
std::string("Error converting address '") + addr1 + "'");
reportError(std::string("Error converting address '") + addr1 + "'");
}
try
@ -1133,13 +1134,14 @@ FWObject* Importer::createAddressRange(const std::string &addr1,
ar->setRangeEnd( InetAddr(addr2) );
} catch (FWException &ex)
{
markCurrentRuleBad(
std::string("Error converting address '") + addr2 + "'");
reportError(std::string("Error converting address '") + addr2 + "'");
}
ar->setComment(comment);
all_objects[sig] = ar;
*logger << "AddressRange object: " + name + "\n";
// *logger << "AddressRange object: " + name + "\n";
return ar;
}
@ -1151,18 +1153,19 @@ void Importer::markCurrentRuleBad(const std::string &comment)
{
FWOptions *ropt = current_rule->getOptionsObject();
assert(ropt!=NULL);
ropt->setStr("color", getBadRuleColor());
if (!rule_comment.empty()) rule_comment += "\n";
rule_comment += comment;
//current_rule->setComment(comment);
}
void Importer::reportError(const std::string &comment)
{
error_counter++;
QString err = QObject::tr("Parser error: Line %1: %2\n")
.arg(getCurrentLineNumber())
.arg(QString::fromUtf8(comment.c_str()));
*logger << err.toUtf8().constData();
error_counter++;
if (current_rule != NULL) markCurrentRuleBad(comment);
}
int Importer::countRules()
@ -1254,4 +1257,72 @@ string Importer::addStandardRuleComment(const string &comment)
return rule_comment;
}
/*
* Named objects
*
* At least in the case of Cisco configurations, I can only create an
* object after I saw the line "host ... ", "subnet ..." or "range
* ..." so I know its type. This means things like the name and
* comment are known before the type. I use methods
* commitNamed*Object() to create objects once all information is available.
*
* I other platforms information about named objects may not be
* arranged in this way, for example in PF configs named objects are
* represented by macros which do not have explicit type and have all
* information on one line. Still, in that case the same commit*()
* method will work if called by the grammar after all variables have
* been parsed and values assigned to temporary member variables
* inside the Importer object.
*/
void Importer::newNamedObjectAddress(const string &name)
{
named_object_name = name;
*logger << "Named object (address) " + name;
}
void Importer::newNamedObjectService(const string &name)
{
named_object_name = name;
*logger << "Named object (service) " + name;
}
void Importer::commitNamedObject(FWObject *obj)
{
if (obj)
{
if ( ! named_object_name.empty()) obj->setName(named_object_name);
if ( ! named_object_comment.empty())
obj->setComment(named_object_comment + "\n" + obj->getComment());
}
}
void Importer::commitNamedAddressObject()
{
commitNamedObject(createAddress(tmp_a, tmp_nm));
}
void Importer::commitNamedAddressRangeObject()
{
commitNamedObject(createAddressRange(tmp_range_1, tmp_range_2));
}
void Importer::commitNamedIPServiceObject()
{
commitNamedObject(createIPService());
}
void Importer::commitNamedICMPServiceObject()
{
commitNamedObject(createICMPService());
}
void Importer::commitNamedTCPUDPServiceObject()
{
FWObject *new_obj = NULL;
if (protocol == "tcp") new_obj = createTCPService();
if (protocol == "udp") new_obj = createUDPService();
commitNamedObject(new_obj);
}

22
src/libgui/Importer.h
View File

@ -177,11 +177,12 @@ protected:
virtual libfwbuilder::FWObject* getTagService(const std::string &tagcode);
virtual libfwbuilder::FWObject* createAddress(const std::string &a,
const std::string &nm);
virtual libfwbuilder::FWObject* createAddressRange(const std::string &a1,
const std::string &a2);
virtual libfwbuilder::FWObject* createIPService();
virtual libfwbuilder::FWObject* createICMPService();
virtual libfwbuilder::FWObject* createTCPService();
@ -240,6 +241,9 @@ public:
std::string tmp_port_op;
std::string tmp_port_spec;
std::string tmp_range_1;
std::string tmp_range_2;
int tmp_tcp_flag_code;
std::list<int> tmp_tcp_flags_list;
std::list<int> tcp_flags_mask;
@ -256,6 +260,9 @@ public:
std::string time_range_name;
std::string named_object_name;
std::string named_object_comment;
void SaveTmpAddrToSrc();
void SaveTmpAddrToDst();
@ -329,11 +336,22 @@ public:
virtual void newNATRule();
virtual void pushRule();
virtual void newNamedObjectAddress(const std::string &name);
virtual void newNamedObjectService(const std::string &name);
virtual void commitNamedObject(libfwbuilder::FWObject *obj);
virtual void commitNamedAddressObject();
virtual void commitNamedAddressRangeObject();
virtual void commitNamedIPServiceObject();
virtual void commitNamedICMPServiceObject();
virtual void commitNamedTCPUDPServiceObject();
void setCurrentLineNumber(int n) { current_line_number = n; }
int getCurrentLineNumber() { return current_line_number;}
void markCurrentRuleBad(const std::string &comment);
void reportError(const std::string &comment);
// this method actually adds interfaces to the firewall object
// and does final clean up.

5
src/libgui/PIXImporter.cpp
View File

@ -71,6 +71,11 @@ PIXImporter::~PIXImporter()
{
}
FWObject* PIXImporter::createAddress(const string &a, const string &nm)
{
return Importer::createAddress(a, nm);
}
/*
* Rearrange vlan interfaces. Importer creates all interfaces as
* children of the firewall. Vlan interfaces should become

2
src/libgui/PIXImporter.h
View File

@ -38,6 +38,8 @@
class PIXImporter : public IOSImporter
{
virtual libfwbuilder::FWObject* createAddress(const std::string &a,
const std::string &nm);
public:

266
src/parsers/PIXCfgLexer.cpp
View File

@ -46,54 +46,62 @@ PIXCfgLexer::PIXCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState&
void PIXCfgLexer::initLiterals()
{
literals["host"] = 31;
literals["setroute"] = 57;
literals["log"] = 34;
literals["access-list"] = 19;
literals["interface"] = 40;
literals["standby"] = 49;
literals["remark"] = 45;
literals["certificate"] = 12;
literals["exit"] = 53;
literals["name"] = 9;
literals["udp"] = 25;
literals["tcp"] = 24;
literals["controller"] = 39;
literals["eq"] = 26;
literals["crypto"] = 10;
literals["ip"] = 5;
literals["access-group"] = 52;
literals["time-range"] = 38;
literals["community-list"] = 7;
literals["icmp"] = 23;
literals["description"] = 44;
literals["Version"] = 15;
literals["nameif"] = 43;
literals["security-level"] = 42;
literals["secondary"] = 56;
literals["access"] = 51;
literals["lt"] = 28;
literals["range"] = 30;
literals["switchport"] = 50;
literals["log-input"] = 35;
literals["standard"] = 59;
literals["gt"] = 27;
literals["names"] = 8;
literals["permit"] = 21;
literals["extended"] = 58;
literals["address"] = 47;
literals["established"] = 36;
literals["dhcp"] = 48;
literals["neq"] = 29;
literals["established"] = 45;
literals["nameif"] = 52;
literals["subnet"] = 18;
literals["controller"] = 48;
literals["object"] = 12;
literals["remark"] = 59;
literals["access-list"] = 35;
literals["hostname"] = 33;
literals["community-list"] = 7;
literals["permit"] = 36;
literals["security-level"] = 51;
literals["source"] = 25;
literals["quit"] = 6;
literals["vlan"] = 41;
literals["any"] = 33;
literals["deny"] = 22;
literals["shutdown"] = 46;
literals["hostname"] = 17;
literals["PIX"] = 13;
literals["ASA"] = 14;
literals["fragments"] = 37;
literals["crypto"] = 27;
literals["PIX"] = 29;
literals["exit"] = 61;
literals["object-group"] = 68;
literals["nat"] = 14;
literals["range"] = 17;
literals["gt"] = 39;
literals["host"] = 16;
literals["secondary"] = 64;
literals["interface"] = 49;
literals["standard"] = 67;
literals["network"] = 13;
literals["vlan"] = 50;
literals["access"] = 58;
literals["service"] = 19;
literals["any"] = 42;
literals["dhcp"] = 55;
literals["deny"] = 37;
literals["neq"] = 41;
literals["address"] = 54;
literals["shutdown"] = 53;
literals["certificate"] = 28;
literals["udp"] = 24;
literals["fragments"] = 46;
literals["eq"] = 38;
literals["destination"] = 26;
literals["setroute"] = 65;
literals["ip"] = 5;
literals["log-input"] = 44;
literals["switchport"] = 57;
literals["description"] = 15;
literals["extended"] = 66;
literals["access-group"] = 60;
literals["Version"] = 31;
literals["log"] = 43;
literals["ASA"] = 30;
literals["lt"] = 40;
literals["time-range"] = 47;
literals["standby"] = 56;
literals["icmp"] = 20;
literals["tcp"] = 23;
}
ANTLR_USE_NAMESPACE(antlr)RefToken PIXCfgLexer::nextToken()
@ -410,11 +418,11 @@ void PIXCfgLexer::mLINE_COMMENT(bool _createToken) {
}
}
else {
goto _loop93;
goto _loop127;
}
}
_loop93:;
_loop127:;
} // ( ... )*
mNEWLINE(false);
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -446,9 +454,9 @@ void PIXCfgLexer::mNEWLINE(bool _createToken) {
}
if ( inputState->guessing==0 ) {
#line 820 "pix.g"
#line 1050 "pix.g"
newline();
#line 452 "PIXCfgLexer.cpp"
#line 460 "PIXCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -472,11 +480,11 @@ void PIXCfgLexer::mCOLON_COMMENT(bool _createToken) {
}
}
else {
goto _loop97;
goto _loop131;
}
}
_loop97:;
_loop131:;
} // ( ... )*
mNEWLINE(false);
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -570,9 +578,9 @@ void PIXCfgLexer::mWhitespace(bool _createToken) {
}
}
if ( inputState->guessing==0 ) {
#line 815 "pix.g"
#line 1045 "pix.g"
_ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP;
#line 576 "PIXCfgLexer.cpp"
#line 584 "PIXCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -684,208 +692,208 @@ void PIXCfgLexer::mNUMBER(bool _createToken) {
ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex;
{
bool synPredMatched116 = false;
bool synPredMatched150 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_2.member(LA(2))) && (_tokenSet_2.member(LA(3))) && (_tokenSet_2.member(LA(4))) && (_tokenSet_2.member(LA(5))) && (_tokenSet_2.member(LA(6))) && (_tokenSet_2.member(LA(7))) && (true) && (true) && (true))) {
int _m116 = mark();
synPredMatched116 = true;
int _m150 = mark();
synPredMatched150 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt111=0;
int _cnt145=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt111>=1 ) { goto _loop111; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt145>=1 ) { goto _loop145; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt111++;
_cnt145++;
}
_loop111:;
_loop145:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt113=0;
int _cnt147=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt113>=1 ) { goto _loop113; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt147>=1 ) { goto _loop147; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt113++;
_cnt147++;
}
_loop113:;
_loop147:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt115=0;
int _cnt149=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt115>=1 ) { goto _loop115; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt149>=1 ) { goto _loop149; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt115++;
_cnt149++;
}
_loop115:;
_loop149:;
} // ( ... )+
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched116 = false;
synPredMatched150 = false;
}
rewind(_m116);
rewind(_m150);
inputState->guessing--;
}
if ( synPredMatched116 ) {
if ( synPredMatched150 ) {
{
{ // ( ... )+
int _cnt119=0;
int _cnt153=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt119>=1 ) { goto _loop119; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt153>=1 ) { goto _loop153; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt119++;
_cnt153++;
}
_loop119:;
_loop153:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt121=0;
int _cnt155=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt121>=1 ) { goto _loop121; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt155>=1 ) { goto _loop155; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt121++;
_cnt155++;
}
_loop121:;
_loop155:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt123=0;
int _cnt157=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt123>=1 ) { goto _loop123; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt157>=1 ) { goto _loop157; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt123++;
_cnt157++;
}
_loop123:;
_loop157:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt125=0;
int _cnt159=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt125>=1 ) { goto _loop125; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt159>=1 ) { goto _loop159; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt125++;
_cnt159++;
}
_loop125:;
_loop159:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 840 "pix.g"
#line 1070 "pix.g"
_ttype = IPV4;
#line 812 "PIXCfgLexer.cpp"
#line 820 "PIXCfgLexer.cpp"
}
}
else {
bool synPredMatched131 = false;
bool synPredMatched165 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_2.member(LA(2))) && (_tokenSet_2.member(LA(3))) && (true) && (true) && (true) && (true) && (true) && (true) && (true))) {
int _m131 = mark();
synPredMatched131 = true;
int _m165 = mark();
synPredMatched165 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt128=0;
int _cnt162=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt128>=1 ) { goto _loop128; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt162>=1 ) { goto _loop162; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt128++;
_cnt162++;
}
_loop128:;
_loop162:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt130=0;
int _cnt164=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt130>=1 ) { goto _loop130; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt164>=1 ) { goto _loop164; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt130++;
_cnt164++;
}
_loop130:;
_loop164:;
} // ( ... )+
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched131 = false;
synPredMatched165 = false;
}
rewind(_m131);
rewind(_m165);
inputState->guessing--;
}
if ( synPredMatched131 ) {
if ( synPredMatched165 ) {
{
{ // ( ... )+
int _cnt134=0;
int _cnt168=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt134>=1 ) { goto _loop134; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt168>=1 ) { goto _loop168; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt134++;
_cnt168++;
}
_loop134:;
_loop168:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt136=0;
int _cnt170=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt136>=1 ) { goto _loop136; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt170>=1 ) { goto _loop170; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt136++;
_cnt170++;
}
_loop136:;
_loop170:;
} // ( ... )+
}
}
@ -894,45 +902,45 @@ void PIXCfgLexer::mNUMBER(bool _createToken) {
match('0' /* charlit */ );
match('x' /* charlit */ );
{ // ( ... )+
int _cnt141=0;
int _cnt175=0;
for (;;) {
if ((_tokenSet_3.member(LA(1)))) {
mHEXDIGIT(false);
}
else {
if ( _cnt141>=1 ) { goto _loop141; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt175>=1 ) { goto _loop175; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt141++;
_cnt175++;
}
_loop141:;
_loop175:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 846 "pix.g"
#line 1076 "pix.g"
_ttype = HEX_CONST;
#line 915 "PIXCfgLexer.cpp"
#line 923 "PIXCfgLexer.cpp"
}
}
else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true)) {
{ // ( ... )+
int _cnt138=0;
int _cnt172=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt138>=1 ) { goto _loop138; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt172>=1 ) { goto _loop172; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt138++;
_cnt172++;
}
_loop138:;
_loop172:;
} // ( ... )+
if ( inputState->guessing==0 ) {
#line 844 "pix.g"
#line 1074 "pix.g"
_ttype = INT_CONST;
#line 936 "PIXCfgLexer.cpp"
#line 944 "PIXCfgLexer.cpp"
}
}
else {
@ -1193,11 +1201,11 @@ void PIXCfgLexer::mWORD(bool _createToken) {
}
default:
{
goto _loop145;
goto _loop179;
}
}
}
_loop145:;
_loop179:;
} // ( ... )*
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -1219,11 +1227,11 @@ void PIXCfgLexer::mSTRING(bool _createToken) {
matchNot('\"' /* charlit */ );
}
else {
goto _loop148;
goto _loop182;
}
}
_loop148:;
_loop182:;
} // ( ... )*
match('\"' /* charlit */ );
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -1593,7 +1601,7 @@ const unsigned long PIXCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 429496729
// 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14
// 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! \" # $ %
// & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G
// H I J K L M N O P Q R S T U V W X Y Z [
// H I J K L M N O P Q R S T U V W X Y Z [ 0x5c ] ^ _ ` a b c d
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_1(_tokenSet_1_data_,16);
const unsigned long PIXCfgLexer::_tokenSet_2_data_[] = { 0UL, 67059712UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// . 0 1 2 3 4 5 6 7 8 9
@ -1605,6 +1613,6 @@ const unsigned long PIXCfgLexer::_tokenSet_4_data_[] = { 4294967288UL, 429496729
// 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 0x11 0x12 0x13
// 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f ! # $
// % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F
// G H I J K L M N O P Q R S T U V W X Y Z [
// G H I J K L M N O P Q R S T U V W X Y Z [ 0x5c ] ^ _ ` a b c d
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_4(_tokenSet_4_data_,16);

1695
src/parsers/PIXCfgParser.cpp
View File

File diff suppressed because it is too large Load Diff

33
src/parsers/PIXCfgParser.hpp
View File

@ -72,22 +72,37 @@ public:
public: void ip_commands();
public: void intrface();
public: void vlan_interface();
public: void switchport();
public: void shutdown();
public: void sec_level();
public: void nameif();
public: void controller();
public: void access_list_commands();
public: void exit();
public: void description();
public: void shutdown();
public: void certificate();
public: void quit();
public: void names_section();
public: void name_entry();
public: void named_object_network();
public: void named_object_service();
public: void crypto();
public: void unknown_command();
public: void ip_access_list_ext();
public: void interface_known_commands();
public: void community_list_command();
public: void name_entry();
public: void named_object_network_parameters();
public: void named_object_nat();
public: void named_object_description();
public: void host_addr();
public: void range_addr();
public: void subnet_addr();
public: void named_object_service_parameters();
public: void service_icmp();
public: void service_icmp6();
public: void service_tcp_udp();
public: void service_other();
public: void src_port_spec();
public: void dst_port_spec();
public: void xoperator();
public: void permit_ext();
public: void deny_ext();
public: void remark();
@ -98,14 +113,16 @@ public:
public: void fragments();
public: void log();
public: void icmp_spec();
public: void xoperator();
public: void established();
public: void single_port_op();
public: void port_range();
public: void port_spec();
public: void pair_of_ports_spec();
public: void hostaddr_std();
public: void interface_parameters();
public: void intf_address();
public: void switchport();
public: void interface_description();
public: void interface_known_commands();
public: void v6_ip_address();
public: void v7_ip_address();
public: void v6_dhcp_address();
@ -124,10 +141,10 @@ protected:
private:
static const char* tokenNames[];
#ifndef NO_STATIC_CONSTS
static const int NUM_TOKENS = 92;
static const int NUM_TOKENS = 101;
#else
enum {
NUM_TOKENS = 92
NUM_TOKENS = 101
};
#endif

171
src/parsers/PIXCfgParserTokenTypes.hpp
View File

@ -18,88 +18,97 @@ struct CUSTOM_API PIXCfgParserTokenTypes {
COMMUNITY_LIST = 7,
NAMES = 8,
NAME = 9,
CRYPTO = 10,
IPV4 = 10,
WORD = 11,
CERTIFICATE = 12,
PIX_WORD = 13,
ASA_WORD = 14,
VERSION_WORD = 15,
NUMBER = 16,
HOSTNAME = 17,
STRING = 18,
ACCESS_LIST = 19,
INT_CONST = 20,
PERMIT = 21,
DENY = 22,
ICMP = 23,
TCP = 24,
UDP = 25,
P_EQ = 26,
P_GT = 27,
P_LT = 28,
P_NEQ = 29,
P_RANGE = 30,
HOST = 31,
IPV4 = 32,
ANY = 33,
LOG = 34,
LOG_INPUT = 35,
ESTABLISHED = 36,
FRAGMENTS = 37,
TIME_RANGE = 38,
CONTROLLER = 39,
INTRFACE = 40,
VLAN = 41,
SEC_LEVEL = 42,
NAMEIF = 43,
DESCRIPTION = 44,
REMARK = 45,
SHUTDOWN = 46,
ADDRESS = 47,
DHCP = 48,
STANDBY = 49,
SWITCHPORT = 50,
ACCESS = 51,
ACCESS_GROUP = 52,
EXIT = 53,
LINE_COMMENT = 54,
COLON_COMMENT = 55,
SECONDARY = 56,
SETROUTE = 57,
EXTENDED = 58,
STANDARD = 59,
Whitespace = 60,
HEX_CONST = 61,
NEG_INT_CONST = 62,
DIGIT = 63,
HEXDIGIT = 64,
PIPE_CHAR = 65,
NUMBER_SIGN = 66,
PERCENT = 67,
AMPERSAND = 68,
APOSTROPHE = 69,
OPENING_PAREN = 70,
CLOSING_PAREN = 71,
STAR = 72,
PLUS = 73,
COMMA = 74,
MINUS = 75,
DOT = 76,
SLASH = 77,
COLON = 78,
SEMICOLON = 79,
LESS_THAN = 80,
EQUALS = 81,
GREATER_THAN = 82,
QUESTION = 83,
COMMERCIAL_AT = 84,
OPENING_SQUARE = 85,
CLOSING_SQUARE = 86,
CARET = 87,
UNDERLINE = 88,
OPENING_BRACE = 89,
CLOSING_BRACE = 90,
TILDE = 91,
OBJECT = 12,
NETWORK = 13,
NAT = 14,
DESCRIPTION = 15,
HOST = 16,
RANGE = 17,
SUBNET = 18,
SERVICE = 19,
ICMP = 20,
INT_CONST = 21,
ICMP6 = 22,
TCP = 23,
UDP = 24,
SOURCE = 25,
DESTINATION = 26,
CRYPTO = 27,
CERTIFICATE = 28,
PIX_WORD = 29,
ASA_WORD = 30,
VERSION_WORD = 31,
NUMBER = 32,
HOSTNAME = 33,
STRING = 34,
ACCESS_LIST = 35,
PERMIT = 36,
DENY = 37,
P_EQ = 38,
P_GT = 39,
P_LT = 40,
P_NEQ = 41,
ANY = 42,
LOG = 43,
LOG_INPUT = 44,
ESTABLISHED = 45,
FRAGMENTS = 46,
TIME_RANGE = 47,
CONTROLLER = 48,
INTRFACE = 49,
VLAN = 50,
SEC_LEVEL = 51,
NAMEIF = 52,
SHUTDOWN = 53,
ADDRESS = 54,
DHCP = 55,
STANDBY = 56,
SWITCHPORT = 57,
ACCESS = 58,
REMARK = 59,
ACCESS_GROUP = 60,
EXIT = 61,
LINE_COMMENT = 62,
COLON_COMMENT = 63,
SECONDARY = 64,
SETROUTE = 65,
EXTENDED = 66,
STANDARD = 67,
OBJECT_GROUP = 68,
Whitespace = 69,
HEX_CONST = 70,
NEG_INT_CONST = 71,
DIGIT = 72,
HEXDIGIT = 73,
PIPE_CHAR = 74,
NUMBER_SIGN = 75,
PERCENT = 76,
AMPERSAND = 77,
APOSTROPHE = 78,
OPENING_PAREN = 79,
CLOSING_PAREN = 80,
STAR = 81,
PLUS = 82,
COMMA = 83,
MINUS = 84,
DOT = 85,
SLASH = 86,
COLON = 87,
SEMICOLON = 88,
LESS_THAN = 89,
EQUALS = 90,
GREATER_THAN = 91,
QUESTION = 92,
COMMERCIAL_AT = 93,
OPENING_SQUARE = 94,
CLOSING_SQUARE = 95,
CARET = 96,
UNDERLINE = 97,
OPENING_BRACE = 98,
CLOSING_BRACE = 99,
TILDE = 100,
NULL_TREE_LOOKAHEAD = 3
};
#ifdef __cplusplus

171
src/parsers/PIXCfgParserTokenTypes.txt
View File

@ -6,85 +6,94 @@ QUIT="quit"=6
COMMUNITY_LIST="community-list"=7
NAMES="names"=8
NAME="name"=9
CRYPTO="crypto"=10
IPV4=10
WORD=11
CERTIFICATE="certificate"=12
PIX_WORD="PIX"=13
ASA_WORD="ASA"=14
VERSION_WORD="Version"=15
NUMBER=16
HOSTNAME="hostname"=17
STRING=18
ACCESS_LIST="access-list"=19
INT_CONST=20
PERMIT="permit"=21
DENY="deny"=22
ICMP="icmp"=23
TCP="tcp"=24
UDP="udp"=25
P_EQ="eq"=26
P_GT="gt"=27
P_LT="lt"=28
P_NEQ="neq"=29
P_RANGE="range"=30
HOST="host"=31
IPV4=32
ANY="any"=33
LOG="log"=34
LOG_INPUT="log-input"=35
ESTABLISHED="established"=36
FRAGMENTS="fragments"=37
TIME_RANGE="time-range"=38
CONTROLLER="controller"=39
INTRFACE="interface"=40
VLAN="vlan"=41
SEC_LEVEL="security-level"=42
NAMEIF="nameif"=43
DESCRIPTION="description"=44
REMARK="remark"=45
SHUTDOWN="shutdown"=46
ADDRESS="address"=47
DHCP="dhcp"=48
STANDBY="standby"=49
SWITCHPORT="switchport"=50
ACCESS="access"=51
ACCESS_GROUP="access-group"=52
EXIT="exit"=53
LINE_COMMENT=54
COLON_COMMENT=55
SECONDARY="secondary"=56
SETROUTE="setroute"=57
EXTENDED="extended"=58
STANDARD="standard"=59
Whitespace=60
HEX_CONST=61
NEG_INT_CONST=62
DIGIT=63
HEXDIGIT=64
PIPE_CHAR=65
NUMBER_SIGN=66
PERCENT=67
AMPERSAND=68
APOSTROPHE=69
OPENING_PAREN=70
CLOSING_PAREN=71
STAR=72
PLUS=73
COMMA=74
MINUS=75
DOT=76
SLASH=77
COLON=78
SEMICOLON=79
LESS_THAN=80
EQUALS=81
GREATER_THAN=82
QUESTION=83
COMMERCIAL_AT=84
OPENING_SQUARE=85
CLOSING_SQUARE=86
CARET=87
UNDERLINE=88
OPENING_BRACE=89
CLOSING_BRACE=90
TILDE=91
OBJECT="object"=12
NETWORK="network"=13
NAT="nat"=14
DESCRIPTION="description"=15
HOST="host"=16
RANGE="range"=17
SUBNET="subnet"=18
SERVICE="service"=19
ICMP="icmp"=20
INT_CONST=21
ICMP6=22
TCP="tcp"=23
UDP="udp"=24
SOURCE="source"=25
DESTINATION="destination"=26
CRYPTO="crypto"=27
CERTIFICATE="certificate"=28
PIX_WORD="PIX"=29
ASA_WORD="ASA"=30
VERSION_WORD="Version"=31
NUMBER=32
HOSTNAME="hostname"=33
STRING=34
ACCESS_LIST="access-list"=35
PERMIT="permit"=36
DENY="deny"=37
P_EQ="eq"=38
P_GT="gt"=39
P_LT="lt"=40
P_NEQ="neq"=41
ANY="any"=42
LOG="log"=43
LOG_INPUT="log-input"=44
ESTABLISHED="established"=45
FRAGMENTS="fragments"=46
TIME_RANGE="time-range"=47
CONTROLLER="controller"=48
INTRFACE="interface"=49
VLAN="vlan"=50
SEC_LEVEL="security-level"=51
NAMEIF="nameif"=52
SHUTDOWN="shutdown"=53
ADDRESS="address"=54
DHCP="dhcp"=55
STANDBY="standby"=56
SWITCHPORT="switchport"=57
ACCESS="access"=58
REMARK="remark"=59
ACCESS_GROUP="access-group"=60
EXIT="exit"=61
LINE_COMMENT=62
COLON_COMMENT=63
SECONDARY="secondary"=64
SETROUTE="setroute"=65
EXTENDED="extended"=66
STANDARD="standard"=67
OBJECT_GROUP="object-group"=68
Whitespace=69
HEX_CONST=70
NEG_INT_CONST=71
DIGIT=72
HEXDIGIT=73
PIPE_CHAR=74
NUMBER_SIGN=75
PERCENT=76
AMPERSAND=77
APOSTROPHE=78
OPENING_PAREN=79
CLOSING_PAREN=80
STAR=81
PLUS=82
COMMA=83
MINUS=84
DOT=85
SLASH=86
COLON=87
SEMICOLON=88
LESS_THAN=89
EQUALS=90
GREATER_THAN=91
QUESTION=92
COMMERCIAL_AT=93
OPENING_SQUARE=94
CLOSING_SQUARE=95
CARET=96
UNDERLINE=97
OPENING_BRACE=98
CLOSING_BRACE=99
TILDE=100

2
src/parsers/parsers.pro
View File

@ -4,6 +4,7 @@ include(../../qmake.inc)
#
TEMPLATE = lib
#
SOURCES = IOSCfgLexer.cpp \
IOSCfgParser.cpp \
IPTCfgLexer.cpp \
@ -22,7 +23,6 @@ HEADERS = ../../config.h \
PIXCfgParser.hpp \
PIXCfgParserTokenTypes.hpp \
CONFIG += staticlib
INCLUDEPATH += $$ANTLR_INCLUDEPATH ../libfwbuilder/src/

336
src/parsers/pix.g
View File

@ -92,6 +92,10 @@ cfgfile :
intrface
|
vlan_interface
|
switchport
|
shutdown
|
sec_level
|
@ -103,15 +107,17 @@ cfgfile :
|
exit
|
description
|
shutdown
|
certificate
|
quit
|
names_section
|
name_entry
|
named_object_network
|
named_object_service
|
crypto
|
@ -123,7 +129,7 @@ cfgfile :
//****************************************************************
ip_commands : IP ( ip_access_list_ext | interface_known_commands | community_list_command | unknown_command )
ip_commands : IP ( ip_access_list_ext | community_list_command | unknown_command )
;
//****************************************************************
@ -141,20 +147,196 @@ community_list_command : COMMUNITY_LIST
;
//****************************************************************
names_section : NAMES (name_entry)*
names_section : NAMES
{
importer->addMessageToLog("Parser warning: \"names\" section detected. "
"Import of configuration that uses \"names\" "
"is not supported at this time");
importer->addMessageToLog(
"Parser warning: \"names\" section detected. "
"Import of configuration that uses \"names\" "
"is not supported at this time");
}
;
name_entry : NAME
name_entry : NAME a:IPV4 n:WORD
{
importer->addMessageToLog(
"Name " + a->getText() + " " + n->getText());
*dbg << "Name " << a->getText() << " " << n->getText() << std::endl;
}
;
//****************************************************************
named_object_network : OBJECT NETWORK name:WORD
{
importer->setCurrentLineNumber(LT(0)->getLine());
importer->newNamedObjectAddress(name->getText());
*dbg << name->getLine() << ":"
<< " Named Object " << name->getText() << std::endl;
importer->clear();
}
(
named_object_network_parameters
)+
;
named_object_network_parameters :
NEWLINE
(
named_object_nat
|
named_object_description
|
host_addr
|
range_addr
|
subnet_addr
)
;
named_object_nat : NAT
{
importer->addMessageToLog(
"Parser warning: "
"Import of named objects with \"nat\" command "
"is not supported at this time");
consumeUntil(NEWLINE);
}
;
named_object_description : DESCRIPTION
{
*dbg << LT(1)->getLine() << ":";
std::string descr;
while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE)
{
descr += LT(1)->getText() + " ";
consume();
}
importer->named_object_comment = descr;
*dbg << " DESCRIPTION " << descr << std::endl;
}
;
host_addr : (HOST h:IPV4)
{
importer->tmp_a = h->getText();
importer->tmp_nm = "255.255.255.255";
importer->commitNamedAddressObject();
*dbg << h->getText() << "/255.255.255.255";
}
;
range_addr : (RANGE r1:IPV4 r2:IPV4)
{
importer->tmp_range_1 = r1->getText();
importer->tmp_range_2 = r2->getText();
importer->commitNamedAddressRangeObject();
*dbg << r1->getText() << "/" << r2->getText();
}
;
subnet_addr : (SUBNET a:IPV4 nm:IPV4)
{
importer->tmp_a = a->getText();
importer->tmp_nm = nm->getText();
importer->commitNamedAddressObject();
*dbg << a->getText() << "/" << nm->getText();
}
;
//****************************************************************
named_object_service : OBJECT SERVICE name:WORD
{
importer->setCurrentLineNumber(LT(0)->getLine());
importer->newNamedObjectService(name->getText());
*dbg << name->getLine() << ":"
<< " Named Object " << name->getText() << std::endl;
importer->clear();
}
(
named_object_service_parameters
)+
;
named_object_service_parameters :
NEWLINE
{
importer->setCurrentLineNumber(LT(0)->getLine());
}
(
named_object_description
|
service_icmp
|
service_icmp6
|
service_tcp_udp
|
service_other
)
;
service_icmp : SERVICE ICMP
(
icmp_type:INT_CONST
{
importer->icmp_type = LT(0)->getText();
}
| icmp_word:WORD
{
importer->icmp_spec = icmp_word->getText();
}
)
{
importer->commitNamedICMPServiceObject();
*dbg << "NAMED OBJECT SERVICE ICMP " << LT(0)->getText() << " ";
}
;
service_icmp6 : SERVICE ICMP6 (INT_CONST | WORD)
{
importer->addMessageToLog("Parser warning: "
"Import of IPv6 addresses and servcies "
"is not supported at this time");
*dbg << "NAMED OBJECT SERVICE ICMP6 " << LT(0)->getText() << " ";
consumeUntil(NEWLINE);
}
;
service_tcp_udp : SERVICE (TCP|UDP)
{
importer->protocol = LT(0)->getText();
*dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " ";
}
( src_port_spec )?
( dst_port_spec )?
{
importer->commitNamedTCPUDPServiceObject();
}
;
src_port_spec : SOURCE xoperator
{
importer->SaveTmpPortToSrc();
}
;
dst_port_spec : DESTINATION xoperator
{
importer->SaveTmpPortToDst();
}
;
service_other : SERVICE n:WORD
{
importer->protocol = LT(0)->getText();
importer->commitNamedIPServiceObject();
*dbg << "NAMED OBJECT SERVICE " << LT(0)->getText() << " ";
}
;
//****************************************************************
crypto : CRYPTO
{
@ -350,18 +532,29 @@ single_port_op : (P_EQ | P_GT | P_LT | P_NEQ )
port_spec
;
port_range : P_RANGE
{
importer->tmp_port_op = LT(0)->getText();
*dbg << LT(0)->getText() << " ";
}
port_spec port_spec
;
port_spec : (WORD|INT_CONST)
{
importer->tmp_port_spec += (std::string(" ") + LT(0)->getText());
*dbg << LT(0)->getText() << " ";
importer->tmp_port_spec = (std::string(" ") + LT(0)->getText());
*dbg << LT(0)->getText() << " " << importer->tmp_port_spec;
}
;
port_range : RANGE pair_of_ports_spec
{
importer->tmp_port_op = "range";
*dbg << "range ";
}
;
pair_of_ports_spec : (s1:WORD|s2:INT_CONST) (e1:WORD|e2:INT_CONST)
{
importer->tmp_port_spec = "";
if (s1) importer->tmp_port_spec += s1->getText();
if (s2) importer->tmp_port_spec += s2->getText();
importer->tmp_port_spec += " ";
if (e1) importer->tmp_port_spec += e1->getText();
if (e2) importer->tmp_port_spec += e2->getText();
*dbg << "pair of ports: " << importer->tmp_port_spec;
}
;
@ -369,8 +562,8 @@ hostaddr_ext :
(HOST h:IPV4)
{
importer->tmp_a = h->getText();
importer->tmp_nm = "0.0.0.0";
*dbg << h->getText() << "/0.0.0.0";
importer->tmp_nm = "255.255.255.255";
*dbg << h->getText() << "/255.255.255.255";
}
|
(a:IPV4 m:IPV4)
@ -490,11 +683,37 @@ controller : CONTROLLER
intrface : INTRFACE in:WORD
{
importer->setCurrentLineNumber(LT(0)->getLine());
importer->newInterface( in->getText() );
*dbg << in->getLine() << ":"
<< " INTRFACE: " << in->getText() << std::endl;
consumeUntil(NEWLINE);
}
(
interface_parameters
)+
;
interface_parameters :
NEWLINE
{
importer->setCurrentLineNumber(LT(0)->getLine());
}
(
intf_address
|
vlan_interface
|
sec_level
|
nameif
|
interface_description
|
switchport
|
shutdown
)
;
vlan_interface : VLAN vlan_id:INT_CONST
@ -525,7 +744,7 @@ nameif : NAMEIF phys_intf:WORD (NEWLINE | intf_label:WORD sec_level:WORD NEWLIN
// interface description
// Use it for comment
description : DESCRIPTION
interface_description : DESCRIPTION
{
*dbg << LT(1)->getLine() << ":";
std::string descr;
@ -540,26 +759,6 @@ description : DESCRIPTION
}
;
//****************************************************************
// remark. According to the Cisco docs, can only be used
// within access list
// Use it for the current rule comment
remark : REMARK
{
*dbg << LT(1)->getLine() << ":";
std::string rem;
while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE)
{
rem += LT(1)->getText() + " ";
consume();
}
importer->addRuleComment( rem );
*dbg << " REMARK " << rem << std::endl;
//consumeUntil(NEWLINE);
}
;
shutdown : SHUTDOWN
{
importer->ignoreCurrentInterface();
@ -571,10 +770,6 @@ shutdown : SHUTDOWN
interface_known_commands :
(
intf_address
|
switchport
|
shutdown
) NEWLINE ;
@ -600,7 +795,7 @@ interface_known_commands :
// ip address dhcp setroute
// !
intf_address : ADDRESS (v6_ip_address | v7_ip_address) ;
intf_address : IP ADDRESS (v6_ip_address | v7_ip_address) ;
v6_ip_address : v6_dhcp_address | v6_static_address;
@ -666,8 +861,30 @@ v7_static_address : a:IPV4 m:IPV4 (s:STANDBY)?
;
switchport : SWITCHPORT ACCESS VLAN vlan_num:WORD
switchport : SWITCHPORT ACCESS VLAN vlan_num:INT_CONST
{
importer->addMessageToLog("Switch port vlan " + vlan_num->getText());
*dbg << "Switch port vlan " << vlan_num->getText() << std::endl;
}
;
//****************************************************************
// remark. According to the Cisco docs, can only be used
// within access list
// Use it for the current rule comment
remark : REMARK
{
*dbg << LT(1)->getLine() << ":";
std::string rem;
while (LA(1) != ANTLR_USE_NAMESPACE(antlr)Token::EOF_TYPE && LA(1) != NEWLINE)
{
rem += LT(1)->getText() + " ";
consume();
}
importer->addRuleComment( rem );
*dbg << " REMARK " << rem << std::endl;
//consumeUntil(NEWLINE);
}
;
@ -711,13 +928,13 @@ comment : (LINE_COMMENT | COLON_COMMENT) ;
//****************************************************************
class PIXCfgLexer extends Lexer;
options {
options
{
k = 10;
// ASCII only
charVocabulary = '\3'..'\377';
}
tokens
{
EXIT = "exit";
@ -760,6 +977,9 @@ tokens
TCP = "tcp";
UDP = "udp";
DESTINATION = "destination";
SOURCE = "source";
// AHP = "ahp";
// EIGRP = "eigrp";
// ESP = "esp";
@ -779,7 +999,8 @@ tokens
P_GT = "gt";
P_LT = "lt";
P_NEQ = "neq";
P_RANGE = "range";
RANGE = "range";
LOG = "log";
LOG_INPUT = "log-input";
@ -800,6 +1021,15 @@ tokens
NAMES = "names";
NAME = "name";
OBJECT = "object";
OBJECT_GROUP = "object-group";
NETWORK = "network";
SERVICE = "service";
SUBNET = "subnet";
NAT = "nat";
}
@ -817,7 +1047,7 @@ Whitespace : ( '\003'..'\010' | '\t' | '\013' | '\f' | '\016'.. '\037' | '\177'
//COMMENT_START : '!' ;
NEWLINE : ( "\r\n" | '\r' | '\n' ) { newline(); } ;
NEWLINE : ( "\r\n" | '\r' | '\n' ) { newline(); } ;
protected
INT_CONST:;

121
src/unit_tests/ImporterTest/test_data/asa8.3.test
View File

@ -21,6 +21,7 @@ interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
description Switch port 0/0
switchport access vlan 2
!
interface Ethernet0/1
@ -39,32 +40,128 @@ interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
!
!
object network internal_subnet_1
description Internal Subnet 1
subnet 192.168.1.0 255.255.255.192
object network internal_subnet_2
description Internal Subnet 2
subnet 192.168.1.64 255.255.255.192
object service smtp
service tcp destination eq smtp
object network firewall90:FastEthernet1:ip-1
host 22.22.22.23
object network Internal_net
subnet 192.168.1.0 255.255.255.0
object service http
service tcp destination eq www
object network outside_range-1
range 22.22.22.30 22.22.22.40
object network range_1
range 10.1.1.1 10.1.1.100
object network firewall90:FastEthernet1:ip-1
host 22.22.22.23
object network hostA:eth0
host 192.168.1.10
object service squid
service tcp destination eq 3128
object network spamhost1
host 61.150.47.112
object network spamhost2
host 61.150.47.113
object service smtps
service tcp destination eq 465
object network outside_range-1
range 22.22.22.30 22.22.22.40
object network external_gw2
host 22.22.22.100
!
! Example of a named object with "nat" command
!
object network my-range-obj
range 10.2.2.1 10.2.2.10
object network my-inside-net
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic my-range-ob
!
!
object service smtp
service tcp destination eq smtp
object service http
service tcp destination eq www
object service squid
service tcp destination eq 3128
object service smtps
service tcp destination eq 465
!
object service icmp1
service icmp echo
object service icmp2
service icmp unreachable
!
object service tcp-src-1
service tcp source lt 1024
object service tcp-src-2
service tcp source gt 1024
object service tcp-src-3
service tcp source eq 80
object service tcp-src-4
service tcp source neq 88
object service tcp-src-5
service tcp source range 1000 1010
!
object service tcp-dst-1
service tcp destination lt 1024
object service tcp-dst-2
service tcp destination gt 1024
object service tcp-dst-3
service tcp destination eq 80
object service tcp-dst-4
service tcp destination neq 88
object service tcp-dst-5
service tcp destination range 1001 1011
!
object service tcp-src-dst-1
service tcp source lt 1024 destination eq 80
object service tcp-src-dst-2
service tcp source gt 1024 destination eq 2222
object service tcp-src-dst-3
service tcp source eq 80 destination gt 1024
object service tcp-src-dst-4
service tcp source neq 88 destination gt 1024
object service tcp-src-dst-5
service tcp source range 1002 1012 destination gt 1024
!
object service udp-src-1
service udp source lt 1024
object service udp-src-2
service udp source gt 1024
object service udp-src-3
service udp source eq 80
object service udp-src-4
service udp source neq 80
object service udp-src-5
service udp source range 1000 1010
!
object service udp-dst-1
service udp destination lt 1024
object service udp-dst-2
service udp destination gt 1024
object service udp-dst-3
service udp destination eq 80
object service udp-dst-4
service udp destination neq 80
object service udp-dst-5
service udp destination range 1001 1011
!
object service ip1
service ip
object service ip2
service eigrp
object service icmp6-1
service icmp6 neighbor-advertisement
!
! incomplete statement
!
object service ip3
!
object-group network outside.id178211X29963.osrc.net.0
network-object object internal_subnet_1
network-object object internal_subnet_2