* PolicyCompiler_iosacl.cpp (splitTCPServiceWithFlags::processNext):

fixed #1247 incorrect use of tcp service with flags in
object-group.  "object-group service" does not seem to support tcp
flags and "established"

build_num

@@ -1 +1 @@
-#define BUILD_NUM 2567
+#define BUILD_NUM 2568

doc/ChangeLog

@@ -1,5 +1,10 @@
 2010-02-18  glitch.vk.crocodile.org  <vadim@vk.crocodile.org>
 
+	* PolicyCompiler_iosacl.cpp (splitTCPServiceWithFlags::processNext):
+	fixed #1247 incorrect use of tcp service with flags in
+	object-group.  "object-group service" does not seem to support tcp
+	flags and "established"
+
 	* ObjectTreeViewItem.cpp (ObjectTreeViewItem::data): 
 	fixed #1248 Filtering in the object-tree crashes the GUI,
 	SourceForge bug #2954501

src/cisco_lib/PolicyCompiler_iosacl.cpp

@@ -218,7 +218,7 @@ bool PolicyCompiler_iosacl::SpecialServices::processNext()
 {
     //PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
     PolicyRule *rule=getNext(); if (rule==NULL) return false;
-    Service    *s=compiler->getFirstSrv(rule);
+    Service *s = compiler->getFirstSrv(rule);
 
     if (IPService::cast(s)!=NULL)
     {
@@ -240,6 +240,55 @@ bool PolicyCompiler_iosacl::SpecialServices::processNext()
     return true;
 }
 
+/*
+ * This rule processor is used to separate TCP service objects that
+ * match tcp flags when generated config uses object-group clause
+ */
+bool PolicyCompiler_iosacl::splitTCPServiceWithFlags::processNext()
+{
+    PolicyRule *rule=getNext(); if (rule==NULL) return false;
+    RuleElementSrv *srv = rule->getSrv();
+
+    if (srv->size() > 1)
+    {
+        std::list<FWObject*> cl;
+        for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1) 
+        {
+            FWObject *o   = *i1;
+            FWObject *obj = NULL;
+            if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
+            Service *s=Service::cast(obj);
+            assert(s!=NULL);
+
+            TCPService *tcp_srv = TCPService::cast(s);
+            if (tcp_srv && (tcp_srv->inspectFlags() || tcp_srv->getEstablished()))
+                cl.push_back(s);
+        }
+
+        while (!cl.empty()) 
+        {
+            PolicyRule  *r = compiler->dbcopy->createPolicyRule();
+            compiler->temp_ruleset->add(r);
+            r->duplicate(rule);
+
+            RuleElementSrv *nsrv = r->getSrv();
+            nsrv->clearChildren();
+            nsrv->addRef( cl.front() );
+            tmp_queue.push_back(r);
+
+            srv->removeRef( cl.front() );
+            cl.pop_front();
+        }
+        if (srv->size()>0) tmp_queue.push_back(rule);
+
+    } else
+        tmp_queue.push_back(rule);
+
+    return true;
+}
+
+
+
 void PolicyCompiler_iosacl::compile()
 {
     string banner = " Compiling ruleset " + getSourceRuleSet()->getName();
@@ -393,6 +442,14 @@ void PolicyCompiler_iosacl::compile()
 
         if (supports_object_groups)
         {
+            // "object-group service" does not seem to support
+            // matching of tcp flags and "established". Need to
+            // separate objects using these into separate rules to avoid
+            // object-group
+
+            add( new splitTCPServiceWithFlags(
+                     "separate TCP service with tcp flags"));
+
             add( new CreateObjectGroupsForSrc("create object groups for Src"));
             add( new CreateObjectGroupsForDst("create object groups for Dst"));
             add( new CreateObjectGroupsForSrv("create object groups for Srv"));

src/cisco_lib/PolicyCompiler_iosacl.h

@@ -197,6 +197,14 @@ namespace fwcompiler {
         DECLARE_POLICY_RULE_PROCESSOR(printClearCommands);
         friend class PolicyCompiler_iosacl::printClearCommands;
 
+        /**
+         * "object-group service" does not seem to support matching of
+         * tcp flags and "established". Need to separate objects using
+         * these into separate rules to avoid object-group
+         */
+        DECLARE_POLICY_RULE_PROCESSOR(splitTCPServiceWithFlags);
+        friend class PolicyCompiler_iosacl::splitTCPServiceWithFlags;
+        
 	/**
 	 *  this processor prints single policy rule, assuming all
 	 *  groups have been expanded, so source, destination and

test/iosacl/objects-for-regression-tests.fwb

@@ -5955,7 +5955,7 @@
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id115980X79820" host_OS="ios" inactive="False" lastCompiled="1261963349" lastInstalled="0" lastModified="1266468639" platform="iosacl" version="12.4" name="testios5-1" comment="mirrored rules,  using object-groups&#10;" ro="False">
+      <Firewall id="id115980X79820" host_OS="ios" inactive="False" lastCompiled="1261963349" lastInstalled="0" lastModified="1266554058" platform="iosacl" version="12.4" name="testios5-1" comment="mirrored rules,  using object-groups&#10;" ro="False">
         <NAT id="id116156X79820" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </NAT>
@@ -6180,6 +6180,7 @@
               <ServiceRef ref="udp-ntp"/>
               <ServiceRef ref="tcp-HTTP"/>
               <ServiceRef ref="icmp-ping_request"/>
+              <ServiceRef ref="id3B4FED69"/>
             </Srv>
             <Itf neg="False">
               <ObjectRef ref="id115988X79820"/>
@@ -6204,7 +6205,8 @@
             <Srv neg="False">
               <ServiceRef ref="id83887X7744"/>
               <ServiceRef ref="id83889X7744"/>
-              <ServiceRef ref="id4641521729061"/>
+              <ServiceRef ref="tcp-HTTP"/>
+              <ServiceRef ref="id3B4FED69"/>
             </Srv>
             <Itf neg="False">
               <ObjectRef ref="id7107X77171"/>
@@ -6228,6 +6230,7 @@
             </Dst>
             <Srv neg="False">
               <ServiceRef ref="id5470X38343"/>
+              <ServiceRef ref="id4641521729061"/>
             </Srv>
             <Itf neg="False">
               <ObjectRef ref="id7107X77171"/>