From b89bf502d373259fc2c2d4bbe4d883638fc47de2 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Wed, 7 Dec 2011 17:02:07 -0800 Subject: [PATCH] fixes #2678 Policy importer for PIX/ASA could not parse nat command with parameter "outside" --- doc/ChangeLog | 3 + src/import/PIXImporterNat.cpp | 18 +- src/parsers/PIXCfgLexer.cpp | 202 +- src/parsers/PIXCfgParser.cpp | 343 ++- src/parsers/PIXCfgParser.hpp | 3 + src/parsers/pix.g | 52 +- src/res/help/en_US/release_notes_5.0.1.html | 6 + .../PIXImporterTest/test_data/pix7-nat.fwb | 1967 +++++++++-------- .../PIXImporterTest/test_data/pix7-nat.output | 33 +- .../PIXImporterTest/test_data/pix7-nat.test | 3 + 10 files changed, 1370 insertions(+), 1260 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index 438ac4ef2..008f91e27 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,8 @@ 2011-12-07 Vadim Kurland + * pix.g (nat_command_last_parameters): fixes #2678 Policy importer + for PIX/ASA could not parse nat command with parameter "outside" + * PIXImporterNat.cpp (PIXImporter::buildNoNATRule): fixes #2679 Policy importer for PIX/ASA could not import "nat exemption" rule (for example: "nat (inside) 0 access-list EXEMPT") diff --git a/src/import/PIXImporterNat.cpp b/src/import/PIXImporterNat.cpp index 2ca82568c..41490593f 100644 --- a/src/import/PIXImporterNat.cpp +++ b/src/import/PIXImporterNat.cpp @@ -350,13 +350,19 @@ void PIXImporter::buildSNATRule() assert(tsrc!=NULL); if (addr) tsrc->addRef( addr ); - RuleElement *itf_i_re = rule->getItfInb(); - assert(itf_i_re!=NULL); - itf_i_re->addRef(pre_intf); + if (pre_intf) + { + RuleElement *itf_i_re = rule->getItfInb(); + assert(itf_i_re!=NULL); + itf_i_re->addRef(pre_intf); + } - RuleElement *itf_o_re = rule->getItfOutb(); - assert(itf_o_re!=NULL); - itf_o_re->addRef(post_intf); + if (post_intf) + { + RuleElement *itf_o_re = rule->getItfOutb(); + assert(itf_o_re!=NULL); + itf_o_re->addRef(post_intf); + } if ( ! nat_acl.empty()) { diff --git a/src/parsers/PIXCfgLexer.cpp b/src/parsers/PIXCfgLexer.cpp index bba01b107..8d80e3b17 100644 --- a/src/parsers/PIXCfgLexer.cpp +++ b/src/parsers/PIXCfgLexer.cpp @@ -506,11 +506,11 @@ void PIXCfgLexer::mLINE_COMMENT(bool _createToken) { } } else { - goto _loop288; + goto _loop285; } } - _loop288:; + _loop285:; } // ( ... )* mNEWLINE(false); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { @@ -542,7 +542,7 @@ void PIXCfgLexer::mNEWLINE(bool _createToken) { } if ( inputState->guessing==0 ) { -#line 2536 "pix.g" +#line 2548 "pix.g" newline(); #line 548 "PIXCfgLexer.cpp" } @@ -568,11 +568,11 @@ void PIXCfgLexer::mCOLON_COMMENT(bool _createToken) { } } else { - goto _loop292; + goto _loop289; } } - _loop292:; + _loop289:; } // ( ... )* mNEWLINE(false); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { @@ -666,7 +666,7 @@ void PIXCfgLexer::mWhitespace(bool _createToken) { } } if ( inputState->guessing==0 ) { -#line 2531 "pix.g" +#line 2543 "pix.g" _ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP; #line 672 "PIXCfgLexer.cpp" } @@ -764,15 +764,15 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex; { - bool synPredMatched341 = false; + bool synPredMatched338 = false; if (((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (true))) { - int _m341 = mark(); - synPredMatched341 = true; + int _m338 = mark(); + synPredMatched338 = true; inputState->guessing++; try { { { // ( ... )+ - int _cnt340=0; + int _cnt337=0; for (;;) { switch ( LA(1)) { case 0x61 /* 'a' */ : @@ -801,27 +801,27 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { } default: { - if ( _cnt340>=1 ) { goto _loop340; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt337>=1 ) { goto _loop337; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } - _cnt340++; + _cnt337++; } - _loop340:; + _loop337:; } // ( ... )+ mCOLON(false); } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { - synPredMatched341 = false; + synPredMatched338 = false; } - rewind(_m341); + rewind(_m338); inputState->guessing--; } - if ( synPredMatched341 ) { + if ( synPredMatched338 ) { { { { // ( ... )+ - int _cnt345=0; + int _cnt342=0; for (;;) { switch ( LA(1)) { case 0x61 /* 'a' */ : @@ -850,15 +850,15 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { } default: { - if ( _cnt345>=1 ) { goto _loop345; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt342>=1 ) { goto _loop342; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } } - _cnt345++; + _cnt342++; } - _loop345:; + _loop342:; } // ( ... )+ { // ( ... )+ - int _cnt349=0; + int _cnt346=0; for (;;) { if ((LA(1) == 0x3a /* ':' */ )) { mCOLON(false); @@ -891,34 +891,34 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { } default: { - goto _loop348; + goto _loop345; } } } - _loop348:; + _loop345:; } // ( ... )* } else { - if ( _cnt349>=1 ) { goto _loop349; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt346>=1 ) { goto _loop346; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt349++; + _cnt346++; } - _loop349:; + _loop346:; } // ( ... )+ } if ( inputState->guessing==0 ) { -#line 2577 "pix.g" +#line 2589 "pix.g" _ttype = IPV6; #line 914 "PIXCfgLexer.cpp" } } } else { - bool synPredMatched306 = false; + bool synPredMatched303 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true))) { - int _m306 = mark(); - synPredMatched306 = true; + int _m303 = mark(); + synPredMatched303 = true; inputState->guessing++; try { { @@ -926,240 +926,240 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { - synPredMatched306 = false; + synPredMatched303 = false; } - rewind(_m306); + rewind(_m303); inputState->guessing--; } - if ( synPredMatched306 ) { + if ( synPredMatched303 ) { { - bool synPredMatched315 = false; + bool synPredMatched312 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { - int _m315 = mark(); - synPredMatched315 = true; + int _m312 = mark(); + synPredMatched312 = true; inputState->guessing++; try { { { // ( ... )+ - int _cnt310=0; + int _cnt307=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt310>=1 ) { goto _loop310; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt307>=1 ) { goto _loop307; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt310++; + _cnt307++; } - _loop310:; + _loop307:; } // ( ... )+ mDOT(false); { // ( ... )+ - int _cnt312=0; + int _cnt309=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt312>=1 ) { goto _loop312; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt309>=1 ) { goto _loop309; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt312++; + _cnt309++; } - _loop312:; + _loop309:; } // ( ... )+ mDOT(false); { // ( ... )+ - int _cnt314=0; + int _cnt311=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt314>=1 ) { goto _loop314; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt311>=1 ) { goto _loop311; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt314++; + _cnt311++; } - _loop314:; + _loop311:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { - synPredMatched315 = false; + synPredMatched312 = false; } - rewind(_m315); + rewind(_m312); inputState->guessing--; } - if ( synPredMatched315 ) { + if ( synPredMatched312 ) { { { // ( ... )+ - int _cnt318=0; + int _cnt315=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt318>=1 ) { goto _loop318; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt315>=1 ) { goto _loop315; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt318++; + _cnt315++; } - _loop318:; + _loop315:; } // ( ... )+ mDOT(false); { // ( ... )+ - int _cnt320=0; + int _cnt317=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt320>=1 ) { goto _loop320; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt317>=1 ) { goto _loop317; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt320++; + _cnt317++; } - _loop320:; + _loop317:; } // ( ... )+ mDOT(false); { // ( ... )+ - int _cnt322=0; + int _cnt319=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt322>=1 ) { goto _loop322; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt319>=1 ) { goto _loop319; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt322++; + _cnt319++; } - _loop322:; + _loop319:; } // ( ... )+ mDOT(false); { // ( ... )+ - int _cnt324=0; + int _cnt321=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt324>=1 ) { goto _loop324; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt321>=1 ) { goto _loop321; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt324++; + _cnt321++; } - _loop324:; + _loop321:; } // ( ... )+ } if ( inputState->guessing==0 ) { -#line 2565 "pix.g" +#line 2577 "pix.g" _ttype = IPV4; #line 1061 "PIXCfgLexer.cpp" } } else { - bool synPredMatched330 = false; + bool synPredMatched327 = false; if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) { - int _m330 = mark(); - synPredMatched330 = true; + int _m327 = mark(); + synPredMatched327 = true; inputState->guessing++; try { { { // ( ... )+ - int _cnt327=0; + int _cnt324=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt327>=1 ) { goto _loop327; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt324>=1 ) { goto _loop324; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt327++; + _cnt324++; } - _loop327:; + _loop324:; } // ( ... )+ mDOT(false); { // ( ... )+ - int _cnt329=0; + int _cnt326=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt329>=1 ) { goto _loop329; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt326>=1 ) { goto _loop326; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt329++; + _cnt326++; } - _loop329:; + _loop326:; } // ( ... )+ } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) { - synPredMatched330 = false; + synPredMatched327 = false; } - rewind(_m330); + rewind(_m327); inputState->guessing--; } - if ( synPredMatched330 ) { + if ( synPredMatched327 ) { { { // ( ... )+ - int _cnt333=0; + int _cnt330=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt333>=1 ) { goto _loop333; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt330>=1 ) { goto _loop330; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt333++; + _cnt330++; } - _loop333:; + _loop330:; } // ( ... )+ mDOT(false); { // ( ... )+ - int _cnt335=0; + int _cnt332=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt335>=1 ) { goto _loop335; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt332>=1 ) { goto _loop332; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt335++; + _cnt332++; } - _loop335:; + _loop332:; } // ( ... )+ } if ( inputState->guessing==0 ) { -#line 2568 "pix.g" +#line 2580 "pix.g" _ttype = NUMBER; #line 1144 "PIXCfgLexer.cpp" } } else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) { { // ( ... )+ - int _cnt337=0; + int _cnt334=0; for (;;) { if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { mDIGIT(false); } else { - if ( _cnt337>=1 ) { goto _loop337; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + if ( _cnt334>=1 ) { goto _loop334; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} } - _cnt337++; + _cnt334++; } - _loop337:; + _loop334:; } // ( ... )+ if ( inputState->guessing==0 ) { -#line 2570 "pix.g" +#line 2582 "pix.g" _ttype = INT_CONST; #line 1165 "PIXCfgLexer.cpp" } @@ -1414,14 +1414,14 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) { } default: { - goto _loop352; + goto _loop349; } } } - _loop352:; + _loop349:; } // ( ... )* if ( inputState->guessing==0 ) { -#line 2585 "pix.g" +#line 2597 "pix.g" _ttype = WORD; #line 1427 "PIXCfgLexer.cpp" } @@ -1465,11 +1465,11 @@ void PIXCfgLexer::mSTRING(bool _createToken) { matchNot('\"' /* charlit */ ); } else { - goto _loop355; + goto _loop352; } } - _loop355:; + _loop352:; } // ( ... )* match('\"' /* charlit */ ); if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) { diff --git a/src/parsers/PIXCfgParser.cpp b/src/parsers/PIXCfgParser.cpp index 9b05241c5..77f335cc3 100644 --- a/src/parsers/PIXCfgParser.cpp +++ b/src/parsers/PIXCfgParser.cpp @@ -6809,6 +6809,7 @@ void PIXCfgParser::nat_addr_match() { case UDP: case DNS: case OUTSIDE: + case NORANDOMSEQ: { break; } @@ -6835,7 +6836,7 @@ void PIXCfgParser::nat_addr_match() { } importer->nat_a = "0.0.0.0"; -#line 6839 "PIXCfgParser.cpp" +#line 6840 "PIXCfgParser.cpp" } { if ((LA(1) == INT_CONST) && (_tokenSet_38.member(LA(2)))) { @@ -6852,7 +6853,7 @@ void PIXCfgParser::nat_addr_match() { } importer->nat_nm = "0.0.0.0"; -#line 6856 "PIXCfgParser.cpp" +#line 6857 "PIXCfgParser.cpp" } } else if ((_tokenSet_38.member(LA(1))) && (_tokenSet_39.member(LA(2)))) { @@ -6874,7 +6875,7 @@ void PIXCfgParser::nat_addr_match() { importer->nat_acl = acl_name->getText(); -#line 6878 "PIXCfgParser.cpp" +#line 6879 "PIXCfgParser.cpp" } break; } @@ -6895,94 +6896,28 @@ void PIXCfgParser::nat_addr_match() { } void PIXCfgParser::nat_command_last_parameters() { - ANTLR_USE_NAMESPACE(antlr)RefToken max_conn = ANTLR_USE_NAMESPACE(antlr)nullToken; - ANTLR_USE_NAMESPACE(antlr)RefToken max_emb_conn = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling - { switch ( LA(1)) { - case DNS: - { - match(DNS); - break; - } case INT_CONST: case TCP: case UDP: - case OUTSIDE: + case DNS: + case NORANDOMSEQ: { + nat_and_static_command_common_last_parameters(); break; } - default: - { - throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); - } - } - } - { - switch ( LA(1)) { case OUTSIDE: { match(OUTSIDE); break; } - case INT_CONST: - case TCP: - case UDP: - { - break; - } default: { throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); } } - } - { - switch ( LA(1)) { - case TCP: - { - match(TCP); - break; - } - case UDP: - { - match(UDP); - break; - } - case INT_CONST: - { - break; - } - default: - { - throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); - } - } - } - max_conn = LT(1); - match(INT_CONST); - { - if ((LA(1) == INT_CONST) && (_tokenSet_38.member(LA(2)))) { - max_emb_conn = LT(1); - match(INT_CONST); - } - else if ((_tokenSet_38.member(LA(1))) && (_tokenSet_39.member(LA(2)))) { - } - else { - throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); - } - - } - if ( inputState->guessing==0 ) { -#line 2052 "pix.g" - - importer->static_max_conn = max_conn->getText(); - if (max_emb_conn) - importer->static_max_emb_conn = max_emb_conn->getText(); - -#line 6985 "PIXCfgParser.cpp" - } } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { @@ -6994,6 +6929,105 @@ void PIXCfgParser::nat_command_last_parameters() { } } +void PIXCfgParser::nat_and_static_command_common_last_parameters() { + ANTLR_USE_NAMESPACE(antlr)RefToken max_conn = ANTLR_USE_NAMESPACE(antlr)nullToken; + ANTLR_USE_NAMESPACE(antlr)RefToken max_emb_conn = ANTLR_USE_NAMESPACE(antlr)nullToken; + + try { // for error handling + switch ( LA(1)) { + case DNS: + { + match(DNS); + if ( inputState->guessing==0 ) { +#line 2306 "pix.g" + + importer->addMessageToLog( + QString("Warning: 'nat' and 'static' command option 'dns' is not supported")); + +#line 6948 "PIXCfgParser.cpp" + } + break; + } + case NORANDOMSEQ: + { + match(NORANDOMSEQ); + if ( inputState->guessing==0 ) { +#line 2312 "pix.g" + + importer->addMessageToLog( + QString("Warning: 'nat' and 'static' command option 'norandomseq' is not supported")); + +#line 6961 "PIXCfgParser.cpp" + } + break; + } + case INT_CONST: + case TCP: + case UDP: + { + { + switch ( LA(1)) { + case TCP: + { + match(TCP); + break; + } + case UDP: + { + match(UDP); + break; + } + case INT_CONST: + { + break; + } + default: + { + throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); + } + } + } + max_conn = LT(1); + match(INT_CONST); + { + if ((LA(1) == INT_CONST) && (_tokenSet_40.member(LA(2)))) { + max_emb_conn = LT(1); + match(INT_CONST); + } + else if ((_tokenSet_40.member(LA(1))) && (_tokenSet_41.member(LA(2)))) { + } + else { + throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); + } + + } + if ( inputState->guessing==0 ) { +#line 2319 "pix.g" + + importer->static_max_conn = max_conn->getText(); + if (max_emb_conn) + importer->static_max_emb_conn = max_emb_conn->getText(); + +#line 7012 "PIXCfgParser.cpp" + } + break; + } + default: + { + throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); + } + } + } + catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { + if( inputState->guessing == 0 ) { + reportError(ex); + recover(ex,_tokenSet_40); + } else { + throw; + } + } +} + void PIXCfgParser::static_starts_with_hostaddr() { try { // for error handling @@ -7001,15 +7035,15 @@ void PIXCfgParser::static_starts_with_hostaddr() { static_real_addr_match(); { // ( ... )* for (;;) { - if ((_tokenSet_40.member(LA(1)))) { + if ((_tokenSet_42.member(LA(1)))) { static_command_common_last_parameters(); } else { - goto _loop272; + goto _loop268; } } - _loop272:; + _loop268:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { @@ -7050,7 +7084,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() { importer->protocol = LT(0)->getText(); *dbg << " SERVICE TCP/UDP " << LT(0)->getText() << " "; -#line 7054 "PIXCfgParser.cpp" +#line 7088 "PIXCfgParser.cpp" } static_mapped_addr_match(); tcp_udp_port_spec(); @@ -7060,7 +7094,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() { importer->mapped_port_spec = importer->tmp_port_spec_2; *dbg << "mapped port " << importer->mapped_port_spec << " "; -#line 7064 "PIXCfgParser.cpp" +#line 7098 "PIXCfgParser.cpp" } { switch ( LA(1)) { @@ -7075,7 +7109,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() { importer->real_nm = importer->tmp_nm; *dbg << "real: " << importer->real_a; -#line 7079 "PIXCfgParser.cpp" +#line 7113 "PIXCfgParser.cpp" } tcp_udp_port_spec(); if ( inputState->guessing==0 ) { @@ -7084,7 +7118,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() { importer->real_port_spec = importer->tmp_port_spec_2; *dbg << "real port " << importer->real_port_spec << " "; -#line 7088 "PIXCfgParser.cpp" +#line 7122 "PIXCfgParser.cpp" } break; } @@ -7099,7 +7133,7 @@ void PIXCfgParser::static_starts_with_tcp_udp() { importer->real_addr_acl = acl_name->getText(); *dbg << "real: " << importer->real_addr_acl; -#line 7103 "PIXCfgParser.cpp" +#line 7137 "PIXCfgParser.cpp" } break; } @@ -7111,15 +7145,15 @@ void PIXCfgParser::static_starts_with_tcp_udp() { } { // ( ... )* for (;;) { - if ((_tokenSet_40.member(LA(1)))) { + if ((_tokenSet_42.member(LA(1)))) { static_command_common_last_parameters(); } else { - goto _loop281; + goto _loop277; } } - _loop281:; + _loop277:; } // ( ... )* } catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { @@ -7148,7 +7182,7 @@ void PIXCfgParser::static_mapped_addr_match() { importer->mapped_nm = importer->tmp_nm; *dbg << "mapped: " << importer->mapped_a; -#line 7152 "PIXCfgParser.cpp" +#line 7186 "PIXCfgParser.cpp" } break; } @@ -7162,7 +7196,7 @@ void PIXCfgParser::static_mapped_addr_match() { importer->mapped_nm = ""; *dbg << "mapped: " << importer->mapped_a; -#line 7166 "PIXCfgParser.cpp" +#line 7200 "PIXCfgParser.cpp" } break; } @@ -7176,7 +7210,7 @@ void PIXCfgParser::static_mapped_addr_match() { catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); - recover(ex,_tokenSet_41); + recover(ex,_tokenSet_43); } else { throw; } @@ -7200,7 +7234,7 @@ void PIXCfgParser::static_real_addr_match() { importer->real_nm = importer->tmp_nm; *dbg << "real: " << importer->real_a; -#line 7204 "PIXCfgParser.cpp" +#line 7238 "PIXCfgParser.cpp" } break; } @@ -7215,7 +7249,7 @@ void PIXCfgParser::static_real_addr_match() { importer->real_addr_acl = acl_name->getText(); *dbg << "real: " << importer->real_addr_acl; -#line 7219 "PIXCfgParser.cpp" +#line 7253 "PIXCfgParser.cpp" } break; } @@ -7229,7 +7263,7 @@ void PIXCfgParser::static_real_addr_match() { catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); - recover(ex,_tokenSet_42); + recover(ex,_tokenSet_44); } else { throw; } @@ -7238,35 +7272,16 @@ void PIXCfgParser::static_real_addr_match() { void PIXCfgParser::static_command_common_last_parameters() { ANTLR_USE_NAMESPACE(antlr)RefToken nm = ANTLR_USE_NAMESPACE(antlr)nullToken; - ANTLR_USE_NAMESPACE(antlr)RefToken max_conn = ANTLR_USE_NAMESPACE(antlr)nullToken; - ANTLR_USE_NAMESPACE(antlr)RefToken max_emb_conn = ANTLR_USE_NAMESPACE(antlr)nullToken; try { // for error handling switch ( LA(1)) { + case INT_CONST: + case TCP: + case UDP: case DNS: - { - match(DNS); - if ( inputState->guessing==0 ) { -#line 2288 "pix.g" - - importer->addMessageToLog( - QString("Warning: 'static' command option 'dns' is not supported")); - -#line 7256 "PIXCfgParser.cpp" - } - break; - } case NORANDOMSEQ: { - match(NORANDOMSEQ); - if ( inputState->guessing==0 ) { -#line 2294 "pix.g" - - importer->addMessageToLog( - QString("Warning: 'static' command option 'norandomseq' is not supported")); - -#line 7269 "PIXCfgParser.cpp" - } + nat_and_static_command_common_last_parameters(); break; } case NETMASK: @@ -7275,63 +7290,12 @@ void PIXCfgParser::static_command_common_last_parameters() { nm = LT(1); match(IPV4); if ( inputState->guessing==0 ) { -#line 2300 "pix.g" +#line 2290 "pix.g" importer->real_nm = nm->getText(); *dbg << "real netmask: " << importer->real_nm; -#line 7284 "PIXCfgParser.cpp" - } - break; - } - case INT_CONST: - case TCP: - case UDP: - { - { - switch ( LA(1)) { - case TCP: - { - match(TCP); - break; - } - case UDP: - { - match(UDP); - break; - } - case INT_CONST: - { - break; - } - default: - { - throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); - } - } - } - max_conn = LT(1); - match(INT_CONST); - { - if ((LA(1) == INT_CONST) && (_tokenSet_42.member(LA(2)))) { - max_emb_conn = LT(1); - match(INT_CONST); - } - else if ((_tokenSet_42.member(LA(1))) && (_tokenSet_43.member(LA(2)))) { - } - else { - throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename()); - } - - } - if ( inputState->guessing==0 ) { -#line 2307 "pix.g" - - importer->static_max_conn = max_conn->getText(); - if (max_emb_conn) - importer->static_max_emb_conn = max_emb_conn->getText(); - -#line 7335 "PIXCfgParser.cpp" +#line 7299 "PIXCfgParser.cpp" } break; } @@ -7344,7 +7308,7 @@ void PIXCfgParser::static_command_common_last_parameters() { catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) { if( inputState->guessing == 0 ) { reportError(ex); - recover(ex,_tokenSet_42); + recover(ex,_tokenSet_44); } else { throw; } @@ -7747,37 +7711,40 @@ const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_35(_tokenSet_35_d const unsigned long PIXCfgParser::_tokenSet_36_data_[] = { 16384UL, 0UL, 0UL, 8388608UL, 0UL, 0UL, 0UL, 0UL }; // WORD "outside" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_36(_tokenSet_36_data_,8); -const unsigned long PIXCfgParser::_tokenSet_37_data_[] = { 0UL, 16778880UL, 0UL, 8388608UL, 0UL, 0UL, 0UL, 0UL }; -// INT_CONST "tcp" "udp" "dns" "outside" -const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_37(_tokenSet_37_data_,8); -const unsigned long PIXCfgParser::_tokenSet_38_data_[] = { 16UL, 16778880UL, 0UL, 8388608UL, 0UL, 0UL, 0UL, 0UL }; -// NEWLINE INT_CONST "tcp" "udp" "dns" "outside" -const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_38(_tokenSet_38_data_,8); -const unsigned long PIXCfgParser::_tokenSet_39_data_[] = { 3758120818UL, 2172659455UL, 335UL, 62914592UL, 469762049UL, 9UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; +const unsigned long PIXCfgParser::_tokenSet_37_data_[] = { 0UL, 16778880UL, 0UL, 8388608UL, 0UL, 16UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; +// INT_CONST "tcp" "udp" "dns" "outside" "norandomseq" +const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_37(_tokenSet_37_data_,12); +const unsigned long PIXCfgParser::_tokenSet_38_data_[] = { 16UL, 16778880UL, 0UL, 8388608UL, 0UL, 16UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; +// NEWLINE INT_CONST "tcp" "udp" "dns" "outside" "norandomseq" +const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_38(_tokenSet_38_data_,12); +const unsigned long PIXCfgParser::_tokenSet_39_data_[] = { 3758120818UL, 2172659455UL, 335UL, 62914592UL, 469762049UL, 25UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" WORD // "object" "description" "host" "range" "subnet" "service" "http" "ssh" // "telnet" "icmp" INT_CONST "tcp" "udp" "object-group" "crypto" "dns" // "no" "certificate" "PIX" "ASA" "FWSM" "hostname" "access-list" "interface" // "controller" "outside" LINE_COMMENT "exit" "nameif" "access-group" COLON_COMMENT -// "nat" "global" "static" +// "nat" "global" "static" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_39(_tokenSet_39_data_,12); -const unsigned long PIXCfgParser::_tokenSet_40_data_[] = { 0UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; -// INT_CONST "tcp" "udp" "dns" "netmask" "norandomseq" +const unsigned long PIXCfgParser::_tokenSet_40_data_[] = { 16UL, 16778880UL, 0UL, 8388608UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; +// NEWLINE INT_CONST "tcp" "udp" "dns" "outside" "netmask" "norandomseq" const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_40(_tokenSet_40_data_,12); -const unsigned long PIXCfgParser::_tokenSet_41_data_[] = { 134275072UL, 184UL, 131392UL, 0UL, 0UL, 0UL, 0UL, 0UL }; +const unsigned long PIXCfgParser::_tokenSet_41_data_[] = { 3758129010UL, 2172659455UL, 335UL, 62914592UL, 469762049UL, 29UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; +// EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" IPV4 +// WORD "object" "description" "host" "range" "subnet" "service" "http" +// "ssh" "telnet" "icmp" INT_CONST "tcp" "udp" "object-group" "crypto" +// "dns" "no" "certificate" "PIX" "ASA" "FWSM" "hostname" "access-list" +// "interface" "controller" "outside" LINE_COMMENT "exit" "nameif" "access-group" +// COLON_COMMENT "nat" "global" "netmask" "static" "norandomseq" +const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_41(_tokenSet_41_data_,12); +const unsigned long PIXCfgParser::_tokenSet_42_data_[] = { 0UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; +// INT_CONST "tcp" "udp" "dns" "netmask" "norandomseq" +const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_42(_tokenSet_42_data_,12); +const unsigned long PIXCfgParser::_tokenSet_43_data_[] = { 134275072UL, 184UL, 131392UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // IPV4 WORD IPV6 "pptp" "http" "ssh" "telnet" INT_CONST "hostname" "access-list" // "echo" -const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_41(_tokenSet_41_data_,8); -const unsigned long PIXCfgParser::_tokenSet_42_data_[] = { 16UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; +const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_43(_tokenSet_43_data_,8); +const unsigned long PIXCfgParser::_tokenSet_44_data_[] = { 16UL, 16778880UL, 0UL, 0UL, 0UL, 20UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; // NEWLINE INT_CONST "tcp" "udp" "dns" "netmask" "norandomseq" -const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_42(_tokenSet_42_data_,12); -const unsigned long PIXCfgParser::_tokenSet_43_data_[] = { 536903538UL, 2172659452UL, 335UL, 54525984UL, 469762049UL, 29UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL }; -// EOF NEWLINE "quit" "ip" "timeout" "pim" "network" "names" "name" IPV4 -// WORD "object" "service" "http" "ssh" "telnet" "icmp" INT_CONST "tcp" -// "udp" "object-group" "crypto" "dns" "no" "certificate" "PIX" "ASA" "FWSM" -// "hostname" "access-list" "interface" "controller" LINE_COMMENT "exit" -// "nameif" "access-group" COLON_COMMENT "nat" "global" "netmask" "static" -// "norandomseq" -const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_43(_tokenSet_43_data_,12); +const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgParser::_tokenSet_44(_tokenSet_44_data_,12); diff --git a/src/parsers/PIXCfgParser.hpp b/src/parsers/PIXCfgParser.hpp index 0f4b0a391..341af8b91 100644 --- a/src/parsers/PIXCfgParser.hpp +++ b/src/parsers/PIXCfgParser.hpp @@ -208,6 +208,7 @@ public: public: void nat_new_top_level_command(); public: void nat_addr_match(); public: void nat_command_last_parameters(); + public: void nat_and_static_command_common_last_parameters(); public: void static_starts_with_hostaddr(); public: void static_starts_with_tcp_udp(); public: void static_mapped_addr_match(); @@ -319,6 +320,8 @@ private: static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_42; static const unsigned long _tokenSet_43_data_[]; static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_43; + static const unsigned long _tokenSet_44_data_[]; + static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_44; }; #endif /*INC_PIXCfgParser_hpp_*/ diff --git a/src/parsers/pix.g b/src/parsers/pix.g index 8825568a2..be49e62d1 100644 --- a/src/parsers/pix.g +++ b/src/parsers/pix.g @@ -2037,6 +2037,12 @@ nat_addr_match : ; nat_command_last_parameters : + // nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]] + // + // here we deal with parameters starting with "dns". Note that compiler + // does not know anything about max_conns and emb_limit options anyway + // + // // <0-65535> The maximum number of simultaneous TCP connections // dns Rewrite DNS address record // norandomseq Disable TCP sequence number randomization @@ -2045,15 +2051,9 @@ nat_command_last_parameters : // udp Configure UDP specific parameters // - (DNS)? - (OUTSIDE)? - (TCP | UDP)? - max_conn:INT_CONST (max_emb_conn:INT_CONST)? - { - importer->static_max_conn = max_conn->getText(); - if (max_emb_conn) - importer->static_max_emb_conn = max_emb_conn->getText(); - } + nat_and_static_command_common_last_parameters + | + OUTSIDE ; nat_new_top_level_command : @@ -2284,23 +2284,35 @@ static_command_common_last_parameters : // udp Configure UDP specific parameters // - DNS - { - importer->addMessageToLog( - QString("Warning: 'static' command option 'dns' is not supported")); - } - | - NORANDOMSEQ - { - importer->addMessageToLog( - QString("Warning: 'static' command option 'norandomseq' is not supported")); - } + nat_and_static_command_common_last_parameters | NETMASK nm:IPV4 { importer->real_nm = nm->getText(); *dbg << "real netmask: " << importer->real_nm; } + ; + +nat_and_static_command_common_last_parameters : + // <0-65535> The maximum number of simultaneous tcp connections + // dns Use the created xlate to rewrite DNS address record + // netmask Configure Netmask to apply to IP addresses + // norandomseq Disable TCP sequence number randomization + // tcp Configure TCP specific parameters + // udp Configure UDP specific parameters + // + + DNS + { + importer->addMessageToLog( + QString("Warning: 'nat' and 'static' command option 'dns' is not supported")); + } + | + NORANDOMSEQ + { + importer->addMessageToLog( + QString("Warning: 'nat' and 'static' command option 'norandomseq' is not supported")); + } | (TCP | UDP)? max_conn:INT_CONST (max_emb_conn:INT_CONST)? diff --git a/src/res/help/en_US/release_notes_5.0.1.html b/src/res/help/en_US/release_notes_5.0.1.html index c59574208..66863294b 100644 --- a/src/res/help/en_US/release_notes_5.0.1.html +++ b/src/res/help/en_US/release_notes_5.0.1.html @@ -255,6 +255,12 @@

+
  • +

    + fixes #2678 Policy importer + for PIX/ASA could not parse nat command with parameter "outside" +

    +
    • diff --git a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb index f9ab0bb84..8e9074378 100644 --- a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb +++ b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb @@ -1,6 +1,6 @@ - + @@ -453,16 +453,16 @@ - - - - - - - - - - + + + + + + + + + + @@ -498,84 +498,85 @@ - - + + + - - - + + + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - + + + - - - - + + + + @@ -583,10 +584,10 @@ - + - + @@ -595,14 +596,14 @@ - + - + - + @@ -622,14 +623,14 @@ - + - + - + @@ -640,7 +641,7 @@ - + @@ -649,14 +650,14 @@ - + - + - + @@ -676,14 +677,14 @@ - + - + - + @@ -703,14 +704,14 @@ - + - + - + @@ -730,14 +731,14 @@ - + - + - + @@ -748,7 +749,7 @@ - + @@ -757,14 +758,14 @@ - + - + - + @@ -784,14 +785,14 @@ - + - + - + @@ -811,14 +812,14 @@ - + - + - + @@ -826,10 +827,10 @@ - + - + @@ -838,14 +839,14 @@ - + - + - + @@ -853,10 +854,10 @@ - + - + @@ -865,14 +866,14 @@ - + - + - + @@ -880,10 +881,10 @@ - + - + @@ -892,14 +893,14 @@ - + - + - + @@ -907,7 +908,7 @@ - + @@ -919,14 +920,14 @@ - + - + - + @@ -934,7 +935,7 @@ - + @@ -946,14 +947,14 @@ - + - + - + @@ -961,10 +962,10 @@ - + - + @@ -973,14 +974,14 @@ - + - + - + @@ -988,10 +989,10 @@ - + - + @@ -1000,14 +1001,14 @@ - + - + - + @@ -1015,7 +1016,7 @@ - + @@ -1027,14 +1028,14 @@ - + - + @@ -1054,14 +1055,14 @@ - + - + - + @@ -1071,6 +1072,60 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1081,14 +1136,68 @@ - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1102,20 +1211,20 @@ - + - + - + - + @@ -1135,19 +1244,19 @@ - + - + - + - + @@ -1162,14 +1271,14 @@ - + - + - + @@ -1177,26 +1286,26 @@ - + - + - + - + - + - + @@ -1204,7 +1313,7 @@ - + @@ -1212,558 +1321,531 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -1783,14 +1865,14 @@ - + - + - + @@ -1810,14 +1892,14 @@ - + - + - + @@ -1837,14 +1919,14 @@ - + - + - + @@ -1864,14 +1946,14 @@ - + - + - + @@ -1891,14 +1973,14 @@ - + - + - + @@ -1918,14 +2000,14 @@ - + - + - + @@ -1945,14 +2027,14 @@ - + - + - + @@ -1972,14 +2054,14 @@ - + - + - + @@ -1999,14 +2081,14 @@ - + - + - + @@ -2026,14 +2108,14 @@ - + - + - + @@ -2053,14 +2135,14 @@ - + - + - + @@ -2080,14 +2162,14 @@ - + - + - + @@ -2107,14 +2189,14 @@ - + - + - + @@ -2134,14 +2216,14 @@ - + - + - + @@ -2161,14 +2243,14 @@ - + - + - + @@ -2188,14 +2270,14 @@ - + - + - + @@ -2215,14 +2297,14 @@ - + - + - + @@ -2242,41 +2324,14 @@ - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -2296,14 +2351,41 @@ - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2323,14 +2405,14 @@ - + - + - + @@ -2350,14 +2432,14 @@ - + - + - + @@ -2377,14 +2459,14 @@ - + - + - + @@ -2404,14 +2486,14 @@ - + - + - + @@ -2431,14 +2513,14 @@ - + - + - + @@ -2458,14 +2540,14 @@ - + - + - + @@ -2485,14 +2567,14 @@ - + - + - + @@ -2512,14 +2594,14 @@ - + - + - + @@ -2539,14 +2621,14 @@ - + - + - + @@ -2566,14 +2648,14 @@ - + - + - + @@ -2581,7 +2663,7 @@ - + @@ -2590,25 +2672,52 @@ - + - + - + - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2617,25 +2726,25 @@ - + - + - + - + - + - + @@ -2644,22 +2753,22 @@ - + - + - + - + - + @@ -2671,17 +2780,17 @@ - + - + - + - + @@ -2698,17 +2807,17 @@ - + - + - + - + @@ -2716,7 +2825,7 @@ - + @@ -2728,14 +2837,14 @@ - + - + - + @@ -2743,7 +2852,7 @@ - + @@ -2755,28 +2864,28 @@ - + - + - - + + - + - + - + @@ -2785,18 +2894,18 @@ - + - + - + - + @@ -2805,18 +2914,18 @@ - + - + - + - + - + @@ -2825,7 +2934,7 @@ - + @@ -2833,10 +2942,10 @@ - + - + @@ -2846,7 +2955,7 @@ - + @@ -2854,10 +2963,10 @@ - + - + @@ -2867,7 +2976,7 @@ - + @@ -2875,10 +2984,10 @@ - + - + @@ -2888,7 +2997,7 @@ - + @@ -2896,10 +3005,10 @@ - + - + @@ -2908,7 +3017,7 @@ - + @@ -2916,10 +3025,10 @@ - + - + @@ -2929,7 +3038,7 @@ - + @@ -2937,10 +3046,10 @@ - + - + @@ -2950,7 +3059,7 @@ - + @@ -2958,10 +3067,10 @@ - + - + @@ -2971,7 +3080,7 @@ - + @@ -2979,10 +3088,10 @@ - + - + @@ -2992,7 +3101,7 @@ - + @@ -3000,10 +3109,10 @@ - + - + @@ -3012,7 +3121,7 @@ - + @@ -3020,10 +3129,10 @@ - + - + @@ -3033,7 +3142,7 @@ - + @@ -3041,10 +3150,10 @@ - + - + @@ -3054,7 +3163,7 @@ - + @@ -3062,10 +3171,10 @@ - + - + @@ -3075,7 +3184,7 @@ - + @@ -3083,10 +3192,10 @@ - + - + @@ -3096,7 +3205,7 @@ - + @@ -3104,10 +3213,10 @@ - + - + @@ -3119,28 +3228,28 @@ - + - + - - + + - - + + - - + + @@ -3162,7 +3271,7 @@ - - + + diff --git a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.output b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.output index 19036cdfe..b88fb8b5c 100644 --- a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.output +++ b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.output @@ -66,14 +66,12 @@ Warning: interface Ethernet6 was not imported because it is in "shutdown" mode 163: Source translation rule ("nat" command) 163: NAT exemption rule ("nat (interface) 0" command) 166: Source translation rule ("nat" command) -170: Destination translation rule ("static" command) -171: Destination translation rule ("static" command) -172: Destination translation rule ("static" command) +169: Source translation rule ("nat" command) 173: Destination translation rule ("static" command) 174: Destination translation rule ("static" command) +175: Destination translation rule ("static" command) 176: Destination translation rule ("static" command) 177: Destination translation rule ("static" command) -178: Destination translation rule ("static" command) 179: Destination translation rule ("static" command) 180: Destination translation rule ("static" command) 181: Destination translation rule ("static" command) @@ -122,17 +120,20 @@ Warning: interface Ethernet6 was not imported because it is in "shutdown" mode 224: Destination translation rule ("static" command) 225: Destination translation rule ("static" command) 226: Destination translation rule ("static" command) -231: Destination translation rule ("static" command) -232: Destination translation rule ("static" command) -233: Destination translation rule ("static" command) +227: Destination translation rule ("static" command) +228: Destination translation rule ("static" command) +229: Destination translation rule ("static" command) +234: Destination translation rule ("static" command) 235: Destination translation rule ("static" command) +236: Destination translation rule ("static" command) 238: Destination translation rule ("static" command) -241: Interface Ethernet0.101 ruleset outside_in direction 'in' -242: Interface Ethernet1 ruleset inside_in direction 'in' -243: Interface Ethernet1 ruleset inside_out direction 'out' -284: Interface Ethernet1 ruleset ssh_commands_inside direction 'in' -284: filtering rule: access list ssh_commands_inside, action permit -285: Interface Ethernet1 ruleset ssh_commands_inside direction 'in' -285: filtering rule: access list ssh_commands_inside, action permit -286: Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in' -286: filtering rule: access list ssh_commands_outside, action permit +241: Destination translation rule ("static" command) +244: Interface Ethernet0.101 ruleset outside_in direction 'in' +245: Interface Ethernet1 ruleset inside_in direction 'in' +246: Interface Ethernet1 ruleset inside_out direction 'out' +287: Interface Ethernet1 ruleset ssh_commands_inside direction 'in' +287: filtering rule: access list ssh_commands_inside, action permit +288: Interface Ethernet1 ruleset ssh_commands_inside direction 'in' +288: filtering rule: access list ssh_commands_inside, action permit +289: Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in' +289: filtering rule: access list ssh_commands_outside, action permit diff --git a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.test b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.test index ebebb3d04..d5db9a135 100644 --- a/src/unit_tests/PIXImporterTest/test_data/pix7-nat.test +++ b/src/unit_tests/PIXImporterTest/test_data/pix7-nat.test @@ -165,6 +165,9 @@ nat (inside) 0 access-list EXEMPT ! example of nat () 1 0 0 command nat (inside) 3 0 0 +! "nat outside example with max_conn parameter +nat (dmz20) 2 10.2.2.0 255.255.255.0 outside 1000 + static (inside,dmz20) 10.0.0.16 10.1.1.16 netmask 255.255.255.240