diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp index 093d474c6..499cfc2f6 100644 --- a/src/cisco_lib/NATCompiler_pix.cpp +++ b/src/cisco_lib/NATCompiler_pix.cpp @@ -760,10 +760,12 @@ bool NATCompiler_pix::ReplaceFirewallObjectsODst::processNext() if (! iface->isLoopback() && iface->getSecurityLevel()==0 ) cl.push_back(iface); } - if ( ! cl.empty() ) { - while (rel->size()) - rel->remove( rel->front() ); - + if ( ! cl.empty() ) + { + // while (rel->size()) + // rel->remove( rel->front() ); + rel->clearChildren(); + for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1) { rel->addRef( *i1 ); @@ -807,14 +809,17 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext() osrc_level = osrc_iface->getSecurityLevel(); } - rel=rule->getTSrc(); assert(rel); + rel = rule->getTSrc(); + assert(rel); + if (rel->size() == 0) { compiler->abort(rule, "Empty TSrc"); return true; } - obj=compiler->getFirstTSrc(rule); assert(obj!=NULL); + obj = compiler->getFirstTSrc(rule); + assert(obj!=NULL); if (obj->getId()==compiler->getFwId() ) { @@ -840,10 +845,13 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext() helper.findInterfaceByNetzone(odst ) ); if (odst_iface!=NULL) cl.push_back(odst_iface); } - if ( ! cl.empty() ) { - while (rel->size()) - rel->remove( rel->front() ); - + + if ( ! cl.empty() ) + { + // while (rel->size()) + // rel->remove( rel->front() ); + rel->clearChildren(); + for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1) { rel->addRef( *i1 ); diff --git a/src/cisco_lib/PolicyCompiler_cisco.cpp b/src/cisco_lib/PolicyCompiler_cisco.cpp index e99b5e5d9..98cb48e7d 100644 --- a/src/cisco_lib/PolicyCompiler_cisco.cpp +++ b/src/cisco_lib/PolicyCompiler_cisco.cpp @@ -373,33 +373,30 @@ bool PolicyCompiler_cisco::NegationPhase1::processNext() */ bool PolicyCompiler_cisco::splitIfRuleElementMatchesFW::processNext() { - PolicyRule *rule=getNext(); if (rule==NULL) return false; - PolicyCompiler_cisco *cisco_comp=dynamic_cast(compiler); + PolicyRule *rule = getNext(); if (rule==NULL) return false; + PolicyCompiler_cisco *cisco_comp = dynamic_cast(compiler); - RuleElement *re=RuleElement::cast(rule->getFirstByType(re_type)); - int nre=re->size(); + RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); + int nre = re->size(); list cl; for (list::iterator i1=re->begin(); nre>1 && i1!=re->end(); ++i1) { - FWObject *o = *i1; - FWObject *obj = NULL; - if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer(); - Address *a=Address::cast(obj); + FWObject *obj = FWReference::getObject(*i1); + Address *a = Address::cast(obj); assert(a!=NULL); -// InetAddr obj_addr=a->getAddress(); + if (cisco_comp->complexMatch(a,cisco_comp->fw)) + { + cl.push_back(obj); - if (cisco_comp->complexMatch(a,cisco_comp->fw)) { - - cl.push_back(o); // can not remove right now because remove invalidates iterator nre--; - PolicyRule *new_rule= compiler->dbcopy->createPolicyRule(); + PolicyRule *new_rule = compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(new_rule); new_rule->duplicate(rule); - RuleElement *new_re=RuleElement::cast(new_rule->getFirstByType(re_type)); + RuleElement *new_re = RuleElement::cast(new_rule->getFirstByType(re_type)); new_re->clearChildren(); new_re->setAnyElement(); new_re->addRef( a ); @@ -407,10 +404,11 @@ bool PolicyCompiler_cisco::splitIfRuleElementMatchesFW::processNext() } } + if (!cl.empty()) { for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) - re->remove( (*i1) ); + re->removeRef(*i1); } tmp_queue.push_back(rule);