onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-05-01 22:57:33 +02:00
Code Issues Releases Wiki Activity

fixes #2678 Policy importer for PIX/ASA could not parse nat command

Browse Source 
with parameter "outside"
This commit is contained in:
Vadim Kurland 2011-12-07 17:02:07 -08:00
parent eacdadc1b9
commit b89bf502d3
10 changed files with 1370 additions and 1260 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/ChangeLog
View File

@ -1,5 +1,8 @@
2011-12-07 Vadim Kurland <vadim@netcitadel.com>
* pix.g (nat_command_last_parameters): fixes #2678 Policy importer
for PIX/ASA could not parse nat command with parameter "outside"
* PIXImporterNat.cpp (PIXImporter::buildNoNATRule): fixes #2679
Policy importer for PIX/ASA could not import "nat exemption" rule
(for example: "nat (inside) 0 access-list EXEMPT")

18
src/import/PIXImporterNat.cpp
View File

@ -350,13 +350,19 @@ void PIXImporter::buildSNATRule()
assert(tsrc!=NULL);
if (addr) tsrc->addRef( addr );
RuleElement *itf_i_re = rule->getItfInb();
assert(itf_i_re!=NULL);
itf_i_re->addRef(pre_intf);
if (pre_intf)
{
RuleElement *itf_i_re = rule->getItfInb();
assert(itf_i_re!=NULL);
itf_i_re->addRef(pre_intf);
}
RuleElement *itf_o_re = rule->getItfOutb();
assert(itf_o_re!=NULL);
itf_o_re->addRef(post_intf);
if (post_intf)
{
RuleElement *itf_o_re = rule->getItfOutb();
assert(itf_o_re!=NULL);
itf_o_re->addRef(post_intf);
}
if ( ! nat_acl.empty())
{

202
src/parsers/PIXCfgLexer.cpp
View File

@ -506,11 +506,11 @@ void PIXCfgLexer::mLINE_COMMENT(bool _createToken) {
}
}
else {
goto _loop288;
goto _loop285;
}
}
_loop288:;
_loop285:;
} // ( ... )*
mNEWLINE(false);
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -542,7 +542,7 @@ void PIXCfgLexer::mNEWLINE(bool _createToken) {
}
if ( inputState->guessing==0 ) {
#line 2536 "pix.g"
#line 2548 "pix.g"
newline();
#line 548 "PIXCfgLexer.cpp"
}
@ -568,11 +568,11 @@ void PIXCfgLexer::mCOLON_COMMENT(bool _createToken) {
}
}
else {
goto _loop292;
goto _loop289;
}
}
_loop292:;
_loop289:;
} // ( ... )*
mNEWLINE(false);
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -666,7 +666,7 @@ void PIXCfgLexer::mWhitespace(bool _createToken) {
}
}
if ( inputState->guessing==0 ) {
#line 2531 "pix.g"
#line 2543 "pix.g"
_ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP;
#line 672 "PIXCfgLexer.cpp"
}
@ -764,15 +764,15 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex;
{
bool synPredMatched341 = false;
bool synPredMatched338 = false;
if (((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (true))) {
int _m341 = mark();
synPredMatched341 = true;
int _m338 = mark();
synPredMatched338 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt340=0;
int _cnt337=0;
for (;;) {
switch ( LA(1)) {
case 0x61 /* 'a' */ :
@ -801,27 +801,27 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
if ( _cnt340>=1 ) { goto _loop340; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt337>=1 ) { goto _loop337; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
}
_cnt340++;
_cnt337++;
}
_loop340:;
_loop337:;
} // ( ... )+
mCOLON(false);
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched341 = false;
synPredMatched338 = false;
}
rewind(_m341);
rewind(_m338);
inputState->guessing--;
}
if ( synPredMatched341 ) {
if ( synPredMatched338 ) {
{
{
{ // ( ... )+
int _cnt345=0;
int _cnt342=0;
for (;;) {
switch ( LA(1)) {
case 0x61 /* 'a' */ :
@ -850,15 +850,15 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
if ( _cnt345>=1 ) { goto _loop345; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt342>=1 ) { goto _loop342; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
}
_cnt345++;
_cnt342++;
}
_loop345:;
_loop342:;
} // ( ... )+
{ // ( ... )+
int _cnt349=0;
int _cnt346=0;
for (;;) {
if ((LA(1) == 0x3a /* ':' */ )) {
mCOLON(false);
@ -891,34 +891,34 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
goto _loop348;
goto _loop345;
}
}
}
_loop348:;
_loop345:;
} // ( ... )*
}
else {
if ( _cnt349>=1 ) { goto _loop349; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt346>=1 ) { goto _loop346; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt349++;
_cnt346++;
}
_loop349:;
_loop346:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2577 "pix.g"
#line 2589 "pix.g"
_ttype = IPV6;
#line 914 "PIXCfgLexer.cpp"
}
}
}
else {
bool synPredMatched306 = false;
bool synPredMatched303 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true))) {
int _m306 = mark();
synPredMatched306 = true;
int _m303 = mark();
synPredMatched303 = true;
inputState->guessing++;
try {
{
@ -926,240 +926,240 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched306 = false;
synPredMatched303 = false;
}
rewind(_m306);
rewind(_m303);
inputState->guessing--;
}
if ( synPredMatched306 ) {
if ( synPredMatched303 ) {
{
bool synPredMatched315 = false;
bool synPredMatched312 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
int _m315 = mark();
synPredMatched315 = true;
int _m312 = mark();
synPredMatched312 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt310=0;
int _cnt307=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt310>=1 ) { goto _loop310; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt307>=1 ) { goto _loop307; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt310++;
_cnt307++;
}
_loop310:;
_loop307:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt312=0;
int _cnt309=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt312>=1 ) { goto _loop312; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt309>=1 ) { goto _loop309; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt312++;
_cnt309++;
}
_loop312:;
_loop309:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt314=0;
int _cnt311=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt314>=1 ) { goto _loop314; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt311>=1 ) { goto _loop311; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt314++;
_cnt311++;
}
_loop314:;
_loop311:;
} // ( ... )+
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched315 = false;
synPredMatched312 = false;
}
rewind(_m315);
rewind(_m312);
inputState->guessing--;
}
if ( synPredMatched315 ) {
if ( synPredMatched312 ) {
{
{ // ( ... )+
int _cnt318=0;
int _cnt315=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt318>=1 ) { goto _loop318; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt315>=1 ) { goto _loop315; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt318++;
_cnt315++;
}
_loop318:;
_loop315:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt320=0;
int _cnt317=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt320>=1 ) { goto _loop320; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt317>=1 ) { goto _loop317; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt320++;
_cnt317++;
}
_loop320:;
_loop317:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt322=0;
int _cnt319=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt322>=1 ) { goto _loop322; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt319>=1 ) { goto _loop319; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt322++;
_cnt319++;
}
_loop322:;
_loop319:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt324=0;
int _cnt321=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt324>=1 ) { goto _loop324; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt321>=1 ) { goto _loop321; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt324++;
_cnt321++;
}
_loop324:;
_loop321:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2565 "pix.g"
#line 2577 "pix.g"
_ttype = IPV4;
#line 1061 "PIXCfgLexer.cpp"
}
}
else {
bool synPredMatched330 = false;
bool synPredMatched327 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
int _m330 = mark();
synPredMatched330 = true;
int _m327 = mark();
synPredMatched327 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt327=0;
int _cnt324=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt327>=1 ) { goto _loop327; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt324>=1 ) { goto _loop324; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt327++;
_cnt324++;
}
_loop327:;
_loop324:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt329=0;
int _cnt326=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt329>=1 ) { goto _loop329; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt326>=1 ) { goto _loop326; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt329++;
_cnt326++;
}
_loop329:;
_loop326:;
} // ( ... )+
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched330 = false;
synPredMatched327 = false;
}
rewind(_m330);
rewind(_m327);
inputState->guessing--;
}
if ( synPredMatched330 ) {
if ( synPredMatched327 ) {
{
{ // ( ... )+
int _cnt333=0;
int _cnt330=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt333>=1 ) { goto _loop333; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt330>=1 ) { goto _loop330; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt333++;
_cnt330++;
}
_loop333:;
_loop330:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt335=0;
int _cnt332=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt335>=1 ) { goto _loop335; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt332>=1 ) { goto _loop332; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt335++;
_cnt332++;
}
_loop335:;
_loop332:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2568 "pix.g"
#line 2580 "pix.g"
_ttype = NUMBER;
#line 1144 "PIXCfgLexer.cpp"
}
}
else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) {
{ // ( ... )+
int _cnt337=0;
int _cnt334=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt337>=1 ) { goto _loop337; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt334>=1 ) { goto _loop334; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt337++;
_cnt334++;
}
_loop337:;
_loop334:;
} // ( ... )+
if ( inputState->guessing==0 ) {
#line 2570 "pix.g"
#line 2582 "pix.g"
_ttype = INT_CONST;
#line 1165 "PIXCfgLexer.cpp"
}
@ -1414,14 +1414,14 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
goto _loop352;
goto _loop349;
}
}
}
_loop352:;
_loop349:;
} // ( ... )*
if ( inputState->guessing==0 ) {
#line 2585 "pix.g"
#line 2597 "pix.g"
_ttype = WORD;
#line 1427 "PIXCfgLexer.cpp"
}
@ -1465,11 +1465,11 @@ void PIXCfgLexer::mSTRING(bool _createToken) {
matchNot('\"' /* charlit */ );
}
else {
goto _loop355;
goto _loop352;
}
}
_loop355:;
_loop352:;
} // ( ... )*
match('\"' /* charlit */ );
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {

343
src/parsers/PIXCfgParser.cpp
View File

@ -6809,6 +6809,7 @@ void PIXCfgParser::nat_addr_match() {
case UDP:
case DNS:
case OUTSIDE:
case NORANDOMSEQ:
{
break;
}
@ -6835,7 +6836,7 @@ void PIXCfgParser::nat_addr_match() {
}
importer->nat_a = "0.0.0.0";
#line 6839 "PIXCfgParser.cpp"
#line 6840 "PIXCfgParser.cpp"
}
{
if ((LA(1) == INT_CONST) && (_tokenSet_38.member(LA(2)))) {
@ -6852,7 +6853,7 @@ void PIXCfgParser::nat_addr_match() {
}
importer->nat_nm = "0.0.0.0";
#line 6856 "PIXCfgParser.cpp"
#line 6857 "PIXCfgParser.cpp"
}
}
else if ((_tokenSet_38.member(LA(1))) && (_tokenSet_39.member(LA(2)))) {
@ -6874,7 +6875,7 @@ void PIXCfgParser::nat_addr_match() {
importer->nat_acl = acl_name->getText();
#line 6878 "PIXCfgParser.cpp"
#line 6879 "PIXCfgParser.cpp"
}
break;
}
@ -6895,94 +6896,28 @@ void PIXCfgParser::nat_addr_match() {
}
void PIXCfgParser::nat_command_last_parameters() {
ANTLR_USE_NAMESPACE(antlr)RefToken max_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
ANTLR_USE_NAMESPACE(antlr)RefToken max_emb_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
try { // for error handling
{
switch ( LA(1)) {
case DNS:
{
match(DNS);
break;
}
case INT_CONST:
case TCP:
case UDP:
case OUTSIDE:
case DNS:
case NORANDOMSEQ:
{
nat_and_static_command_common_last_parameters();
break;
}
default:
{
throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
}
}
}
{
switch ( LA(1)) {
case OUTSIDE:
{
match(OUTSIDE);
break;
}
case INT_CONST:
case TCP:
case UDP:
{
break;
}
default:
{
throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
}
}
}
{
switch ( LA(1)) {
case TCP:
{
match(TCP);
break;
}
case UDP:
{
match(UDP);
break;
}
case INT_CONST:
{
break;
}
default:
{
throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
}
}
}
max_conn = LT(1);
match(INT_CONST);
{
if ((LA(1) == INT_CONST) && (_tokenSet_38.member(LA(2)))) {
max_emb_conn = LT(1);
match(INT_CONST);
}
else if ((_tokenSet_38.member(LA(1))) && (_tokenSet_39.member(LA(2)))) {
}
else {
throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
}
}
if ( inputState->guessing==0 ) {
#line 2052 "pix.g"
importer->static_max_conn = max_conn->getText();
if (max_emb_conn)
importer->static_max_emb_conn = max_emb_conn->getText();
#line 6985 "PIXCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
if( inputState->guessing == 0 ) {
@ -6994,6 +6929,105 @@ void PIXCfgParser::nat_command_last_parameters() {
}
}
void PIXCfgParser::nat_and_static_command_common_last_parameters() {
ANTLR_USE_NAMESPACE(antlr)RefToken max_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
ANTLR_USE_NAMESPACE(antlr)RefToken max_emb_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
try { // for error handling
switch ( LA(1)) {
case DNS:
{
match(DNS);
if ( inputState->guessing==0 ) {
#line 2306 "pix.g"
importer->addMessageToLog(
QString("Warning: 'nat' and 'static' command option 'dns' is not supported"));
#line 6948 "PIXCfgParser.cpp"
}
break;
}
case NORANDOMSEQ:
{
match(NORANDOMSEQ);
if ( inputState->guessing==0 ) {
#line 2312 "pix.g"
importer->addMessageToLog(
QString("Warning: 'nat' and 'static' command option 'norandomseq' is not supported"));
#line 6961 "PIXCfgParser.cpp"
}
break;
}
case INT_CONST:
case TCP:
case UDP:
{
{
switch ( LA(1)) {
case TCP:
{
match(TCP);
break;
}
case UDP:
{
match(UDP);
break;
}
case INT_CONST:
{
break;
}
default:
{
throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
}
}
}
max_conn = LT(1);
match(INT_CONST);
{
if ((LA(1) == INT_CONST) && (_tokenSet_40.member(LA(2)))) {
max_emb_conn = LT(1);
match(INT_CONST);
}
else if ((_tokenSet_40.member(LA(1))) && (_tokenSet_41.member(LA(2)))) {
}
else {
throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
}
}
if ( inputState->guessing==0 ) {
#line 2319 "pix.g"
importer->static_max_conn = max_conn->getText();
if (max_emb_conn)
importer->static_max_emb_conn = max_emb_conn->getText();
#line 7012 "PIXCfgParser.cpp"
}
break;
}
default:
{
throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
}
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
if( inputState->guessing == 0 ) {
reportError(ex);
recover(ex,_tokenSet_40);
} else {
throw;
}
}
}
void PIXCfgParser::static_starts_with_hostaddr() {
try { // for error handling
@ -7001,15 +7035,15 @@ void PIXCfgParser::static_starts_with_hostaddr() {
static_real_addr_match();
{ // ( ... )*
for (;;) {
if ((_tokenSet_40.member(LA(1)))) {
if ((_tokenSet_42.member(LA(1)))) {
static_command_common_last_parameters();
}
else {
goto _loop272;
goto _loop268;
}
}
_loop272:;
_loop268:;
} // ( ... )*
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -7050,7 +7084,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() {
importer->protocol = LT(0)->getText();
*dbg << " SERVICE TCP/UDP " << LT(0)->getText() << " ";
#line 7054 "PIXCfgParser.cpp"
#line 7088 "PIXCfgParser.cpp"
}
static_mapped_addr_match();
tcp_udp_port_spec();
@ -7060,7 +7094,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() {
importer->mapped_port_spec = importer->tmp_port_spec_2;
*dbg << "mapped port " << importer->mapped_port_spec << " ";
#line 7064 "PIXCfgParser.cpp"
#line 7098 "PIXCfgParser.cpp"
}
{
switch ( LA(1)) {
@ -7075,7 +7109,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() {
importer->real_nm = importer->tmp_nm;
*dbg << "real: " << importer->real_a;
#line 7079 "PIXCfgParser.cpp"
#line 7113 "PIXCfgParser.cpp"
}
tcp_udp_port_spec();
if ( inputState->guessing==0 ) {
@ -7084,7 +7118,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() {
importer->real_port_spec = importer->tmp_port_spec_2;
*dbg << "real port " << importer->real_port_spec << " ";
#line 7088 "PIXCfgParser.cpp"
#line 7122 "PIXCfgParser.cpp"
}
break;
}
@ -7099,7 +7133,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() {
importer->real_addr_acl = acl_name->getText();
*dbg << "real: " << importer->real_addr_acl;
#line 7103 "PIXCfgParser.cpp"
#line 7137 "PIXCfgParser.cpp"
}
break;
}
@ -7111,15 +7145,15 @@ void PIXCfgParser::static_starts_with_tcp_udp() {
}
{ // ( ... )*
for (;;) {
if ((_tokenSet_40.member(LA(1)))) {
if ((_tokenSet_42.member(LA(1)))) {
static_command_common_last_parameters();
}
else {
goto _loop281;
goto _loop277;
}
}
_loop281:;
_loop277:;
} // ( ... )*
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -7148,7 +7182,7 @@ void PIXCfgParser::static_mapped_addr_match() {
importer->mapped_nm = importer->tmp_nm;
*dbg << "mapped: " << importer->mapped_a;
#line 7152 "PIXCfgParser.cpp"
#line 7186 "PIXCfgParser.cpp"
}
break;
}
@ -7162,7 +7196,7 @@ void PIXCfgParser::static_mapped_addr_match() {
importer->mapped_nm = "";
*dbg << "mapped: " << importer->mapped_a;
#line 7166 "PIXCfgParser.cpp"
#line 7200 "PIXCfgParser.cpp"
}
break;
}
@ -7176,7 +7210,7 @@ void PIXCfgParser::static_mapped_addr_match() {
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
if( inputState->guessing == 0 ) {
reportError(ex);
recover(ex,_tokenSet_41);
recover(ex,_tokenSet_43);
} else {
throw;
}
@ -7200,7 +7234,7 @@ void PIXCfgParser::static_real_addr_match() {
importer->real_nm = importer->tmp_nm;
*dbg << "real: " << importer->real_a;
#line 7204 "PIXCfgParser.cpp"
#line 7238 "PIXCfgParser.cpp"
}
break;
}
@ -7215,7 +7249,7 @@ void PIXCfgParser::static_real_addr_match() {
importer->real_addr_acl = acl_name->getText();
*dbg << "real: " << importer->real_addr_acl;
#line 7219 "PIXCfgParser.cpp"
#line 7253 "PIXCfgParser.cpp"
}
break;
}
@ -7229,7 +7263,7 @@ void PIXCfgParser::static_real_addr_match() {
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
if( inputState->guessing == 0 ) {
reportError(ex);
recover(ex,_tokenSet_42);
recover(ex,_tokenSet_44);
} else {
throw;
}
@ -7238,35 +7272,16 @@ void PIXCfgParser::static_real_addr_match() {
void PIXCfgParser::static_command_common_last_parameters() {
ANTLR_USE_NAMESPACE(antlr)RefToken nm = ANTLR_USE_NAMESPACE(antlr)nullToken;
ANTLR_USE_NAMESPACE(antlr)RefToken max_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
ANTLR_USE_NAMESPACE(antlr)RefToken max_emb_conn = ANTLR_USE_NAMESPACE(antlr)nullToken;
try { // for error handling
switch ( LA(1)) {
case INT_CONST:
case TCP:
case UDP:
case DNS:
{
match(DNS);
if ( inputState->guessing==0 ) {
#line 2288 "pix.g"
importer->addMessageToLog(
QString("Warning: 'static' command option 'dns' is not supported"));
#line 7256 "PIXCfgParser.cpp"
}
break;
}
case NORANDOMSEQ:
{
match(NORANDOMSEQ);
if ( inputState->guessing==0 ) {
#line 2294 "pix.g"
importer->addMessageToLog(
QString("Warning: 'static' command option 'norandomseq' is not supported"));
#line 7269 "PIXCfgParser.cpp"
}
nat_and_static_command_common_last_parameters();
break;
}
case NETMASK:
@ -7275,63 +7290,12 @@ void PIXCfgParser::static_command_common_last_parameters() {
nm = LT(1);
match(IPV4);
if ( inputState->guessing==0 ) {
#line 2300 "pix.g"
#line 2290 "pix.g"
importer->real_nm = nm->getText();
*dbg << "real netmask: " << importer->real_nm;
#line 7284 "PIXCfgParser.cpp"
}
break;
}
case INT_CONST:
case TCP:
case UDP:
{
{
switch ( LA(1)) {
case TCP:
{
match(TCP);
break;
}
case UDP:
{
match(UDP);
break;
}
case INT_CONST:
{
break;
}
default:
{
throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
}
}
}
max_conn = LT(1);
match(INT_CONST);
{
if ((LA(1) == INT_CONST) && (_tokenSet_42.member(LA(2)))) {
max_emb_conn = LT(1);
match(INT_CONST);
}
else if ((_tokenSet_42.member(LA(1))) && (_tokenSet_43.member(LA(2)))) {
}
else {
throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
}
}
if ( inputState->guessing==0 ) {
#line 2307 "pix.g"
importer->static_max_conn = max_conn->getText();
if (max_emb_conn)
importer->static_max_emb_conn = max_emb_conn->getText();
#line 7335 "PIXCfgParser.cpp"
#line 7299 "PIXCfgParser.cpp"
}
break;
}
@ -7344,7 +7308,7 @@ void PIXCfgParser::static_command_common_last_parameters() {
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
if( inputState->guessing == 0 ) {
reportError(ex);
recover(ex,_tokenSet_42);
recover(ex,_tokenSet_44);
} else {
throw;
}
@ -7747,37 +7711,40 @@ const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_35(_tokenSet_35_d
const unsigned long PIXCfgParser::_tokenSet_36_data_[] = { 16384UL, 0UL, 0UL, 8388608UL, 0UL, 0UL, 0UL, 0UL };
// WORD "outside"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_36(_tokenSet_36_data_,8);
const unsigned long PIXCfgParser::_tokenSet_37_data_[] = { 0UL, 16778880UL, 0UL, 8388608UL, 0UL, 0UL, 0UL, 0UL };
// INT_CONST "tcp" "udp" "dns" "outside"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_37(_tokenSet_37_data_,8);
const unsigned long PIXCfgParser::_tokenSet_38_data_[] = { 16UL, 16778880UL, 0UL, 8388608UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE INT_CONST "tcp" "udp" "dns" "outside"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_38(_tokenSet_38_data_,8);
const unsigned long PIXCfgParser::_tokenSet_39_data_[] = { 3758120818UL, 2172659455UL, 335UL, 62914592UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long PIXCfgParser::_tokenSet_37_data_[] = { 0UL, 16778880UL, 0UL, 8388608UL, 0UL, 16UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// INT_CONST "tcp" "udp" "dns" "outside" "norandomseq"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_37(_tokenSet_37_data_,12);
const unsigned long PIXCfgParser::_tokenSet_38_data_[] = { 16UL, 16778880UL, 0UL, 8388608UL, 0UL, 16UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE INT_CONST "tcp" "udp" "dns" "outside" "norandomseq"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_38(_tokenSet_38_data_,12);
const unsigned long PIXCfgParser::_tokenSet_39_data_[] = { 3758120818UL, 2172659455UL, 335UL, 62914592UL, 469762049UL, 25UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD
// "object" "description" "host" "range" "subnet" "service" "http" "ssh"
// "telnet" "icmp" INT_CONST "tcp" "udp" "object-group" "crypto" "dns"
// "no" "certificate" "PIX" "ASA" "FWSM" "hostname" "access-list" "interface"
// "controller" "outside" LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT
// "nat" "global" "static"
// "nat" "global" "static" "norandomseq"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_39(_tokenSet_39_data_,12);
const unsigned long PIXCfgParser::_tokenSet_40_data_[] = { 0UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// INT_CONST "tcp" "udp" "dns" "netmask" "norandomseq"
const unsigned long PIXCfgParser::_tokenSet_40_data_[] = { 16UL, 16778880UL, 0UL, 8388608UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE INT_CONST "tcp" "udp" "dns" "outside" "netmask" "norandomseq"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_40(_tokenSet_40_data_,12);
const unsigned long PIXCfgParser::_tokenSet_41_data_[] = { 134275072UL, 184UL, 131392UL, 0UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long PIXCfgParser::_tokenSet_41_data_[] = { 3758129010UL, 2172659455UL, 335UL, 62914592UL, 469762049UL, 29UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" IPV4
// WORD "object" "description" "host" "range" "subnet" "service" "http"
// "ssh" "telnet" "icmp" INT_CONST "tcp" "udp" "object-group" "crypto"
// "dns" "no" "certificate" "PIX" "ASA" "FWSM" "hostname" "access-list"
// "interface" "controller" "outside" LINE_COMMENT "exit" "nameif" "access-group"
// COLON_COMMENT "nat" "global" "netmask" "static" "norandomseq"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_41(_tokenSet_41_data_,12);
const unsigned long PIXCfgParser::_tokenSet_42_data_[] = { 0UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// INT_CONST "tcp" "udp" "dns" "netmask" "norandomseq"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_42(_tokenSet_42_data_,12);
const unsigned long PIXCfgParser::_tokenSet_43_data_[] = { 134275072UL, 184UL, 131392UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// IPV4 WORD IPV6 "pptp" "http" "ssh" "telnet" INT_CONST "hostname" "access-list"
// "echo"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_41(_tokenSet_41_data_,8);
const unsigned long PIXCfgParser::_tokenSet_42_data_[] = { 16UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_43(_tokenSet_43_data_,8);
const unsigned long PIXCfgParser::_tokenSet_44_data_[] = { 16UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE INT_CONST "tcp" "udp" "dns" "netmask" "norandomseq"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_42(_tokenSet_42_data_,12);
const unsigned long PIXCfgParser::_tokenSet_43_data_[] = { 536903538UL, 2172659452UL, 335UL, 54525984UL, 469762049UL, 29UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" IPV4
// WORD "object" "service" "http" "ssh" "telnet" "icmp" INT_CONST "tcp"
// "udp" "object-group" "crypto" "dns" "no" "certificate" "PIX" "ASA" "FWSM"
// "hostname" "access-list" "interface" "controller" LINE_COMMENT "exit"
// "nameif" "access-group" COLON_COMMENT "nat" "global" "netmask" "static"
// "norandomseq"
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_43(_tokenSet_43_data_,12);
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_44(_tokenSet_44_data_,12);

3
src/parsers/PIXCfgParser.hpp
View File

@ -208,6 +208,7 @@ public:
public: void nat_new_top_level_command();
public: void nat_addr_match();
public: void nat_command_last_parameters();
public: void nat_and_static_command_common_last_parameters();
public: void static_starts_with_hostaddr();
public: void static_starts_with_tcp_udp();
public: void static_mapped_addr_match();
@ -319,6 +320,8 @@ private:
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_42;
static const unsigned long _tokenSet_43_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_43;
static const unsigned long _tokenSet_44_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_44;
};
#endif /*INC_PIXCfgParser_hpp_*/

52
src/parsers/pix.g
View File

@ -2037,6 +2037,12 @@ nat_addr_match :
;
nat_command_last_parameters :
// nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
//
// here we deal with parameters starting with "dns". Note that compiler
// does not know anything about max_conns and emb_limit options anyway
//
//
// <0-65535> The maximum number of simultaneous TCP connections
// dns Rewrite DNS address record
// norandomseq Disable TCP sequence number randomization
@ -2045,15 +2051,9 @@ nat_command_last_parameters :
// udp Configure UDP specific parameters
// <cr>
(DNS)?
(OUTSIDE)?
(TCP | UDP)?
max_conn:INT_CONST (max_emb_conn:INT_CONST)?
{
importer->static_max_conn = max_conn->getText();
if (max_emb_conn)
importer->static_max_emb_conn = max_emb_conn->getText();
}
nat_and_static_command_common_last_parameters
|
OUTSIDE
;
nat_new_top_level_command :
@ -2284,23 +2284,35 @@ static_command_common_last_parameters :
// udp Configure UDP specific parameters
// <cr>
DNS
{
importer->addMessageToLog(
QString("Warning: 'static' command option 'dns' is not supported"));
}
|
NORANDOMSEQ
{
importer->addMessageToLog(
QString("Warning: 'static' command option 'norandomseq' is not supported"));
}
nat_and_static_command_common_last_parameters
|
NETMASK nm:IPV4
{
importer->real_nm = nm->getText();
*dbg << "real netmask: " << importer->real_nm;
}
;
nat_and_static_command_common_last_parameters :
// <0-65535> The maximum number of simultaneous tcp connections
// dns Use the created xlate to rewrite DNS address record
// netmask Configure Netmask to apply to IP addresses
// norandomseq Disable TCP sequence number randomization
// tcp Configure TCP specific parameters
// udp Configure UDP specific parameters
// <cr>
DNS
{
importer->addMessageToLog(
QString("Warning: 'nat' and 'static' command option 'dns' is not supported"));
}
|
NORANDOMSEQ
{
importer->addMessageToLog(
QString("Warning: 'nat' and 'static' command option 'norandomseq' is not supported"));
}
|
(TCP | UDP)?
max_conn:INT_CONST (max_emb_conn:INT_CONST)?

6
src/res/help/en_US/release_notes_5.0.1.html
View File

@ -255,6 +255,12 @@
</p>
</li>
<li>
<p>
fixes #2678 Policy importer
for PIX/ASA could not parse nat command with parameter "outside"
</p>
</li>
</ul>

1967
src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb
View File

File diff suppressed because it is too large Load Diff

33
src/unit_tests/PIXImporterTest/test_data/pix7-nat.output
View File

@ -66,14 +66,12 @@ Warning: interface Ethernet6 was not imported because it is in "shutdown" mode
163: Source translation rule ("nat" command)
163: NAT exemption rule ("nat (interface) 0" command)
166: Source translation rule ("nat" command)
170: Destination translation rule ("static" command)
171: Destination translation rule ("static" command)
172: Destination translation rule ("static" command)
169: Source translation rule ("nat" command)
173: Destination translation rule ("static" command)
174: Destination translation rule ("static" command)
175: Destination translation rule ("static" command)
176: Destination translation rule ("static" command)
177: Destination translation rule ("static" command)
178: Destination translation rule ("static" command)
179: Destination translation rule ("static" command)
180: Destination translation rule ("static" command)
181: Destination translation rule ("static" command)
@ -122,17 +120,20 @@ Warning: interface Ethernet6 was not imported because it is in "shutdown" mode
224: Destination translation rule ("static" command)
225: Destination translation rule ("static" command)
226: Destination translation rule ("static" command)
231: Destination translation rule ("static" command)
232: Destination translation rule ("static" command)
233: Destination translation rule ("static" command)
227: Destination translation rule ("static" command)
228: Destination translation rule ("static" command)
229: Destination translation rule ("static" command)
234: Destination translation rule ("static" command)
235: Destination translation rule ("static" command)
236: Destination translation rule ("static" command)
238: Destination translation rule ("static" command)
241: Interface Ethernet0.101 ruleset outside_in direction 'in'
242: Interface Ethernet1 ruleset inside_in direction 'in'
243: Interface Ethernet1 ruleset inside_out direction 'out'
284: Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
284: filtering rule: access list ssh_commands_inside, action permit
285: Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
285: filtering rule: access list ssh_commands_inside, action permit
286: Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in'
286: filtering rule: access list ssh_commands_outside, action permit
241: Destination translation rule ("static" command)
244: Interface Ethernet0.101 ruleset outside_in direction 'in'
245: Interface Ethernet1 ruleset inside_in direction 'in'
246: Interface Ethernet1 ruleset inside_out direction 'out'
287: Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
287: filtering rule: access list ssh_commands_inside, action permit
288: Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
288: filtering rule: access list ssh_commands_inside, action permit
289: Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in'
289: filtering rule: access list ssh_commands_outside, action permit

3
src/unit_tests/PIXImporterTest/test_data/pix7-nat.test
View File

@ -165,6 +165,9 @@ nat (inside) 0 access-list EXEMPT
! example of nat () 1 0 0 command
nat (inside) 3 0 0
! "nat outside example with max_conn parameter
nat (dmz20) 2 10.2.2.0 255.255.255.0 outside 1000
static (inside,dmz20) 10.0.0.16 10.1.1.16 netmask 255.255.255.240