onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-05-01 22:57:33 +02:00
Code Issues Releases Wiki Activity

fixes #2679 import of PIX "nat exemptions" rules

Browse Source
This commit is contained in:
Vadim Kurland 2011-12-07 15:41:41 -08:00
parent b0dcb679dc
commit eacdadc1b9
7 changed files with 1237 additions and 1128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/ChangeLog
View File

@ -1,5 +1,9 @@
2011-12-07 Vadim Kurland <vadim@netcitadel.com>
* PIXImporterNat.cpp (PIXImporter::buildNoNATRule): fixes #2679
Policy importer for PIX/ASA could not import "nat exemption" rule
(for example: "nat (inside) 0 access-list EXEMPT")
* pix.g (nat_addr_match): fixes #2677 Policy importer for PIX/ASA
could not parse command "nat (inside) 1 0 0"

2
src/import/PIXImporter.h
View File

@ -73,6 +73,7 @@ class PIXImporter : public IOSImporter
void mixServiceObjects(libfwbuilder::FWObject *src_ports,
libfwbuilder::FWObject *dst_ports,
libfwbuilder::FWObject *service_group);
void natRuleWithACL(libfwbuilder::NATRule *rule);
public:
@ -128,6 +129,7 @@ public:
void pushNATRule();
void buildDNATRule();
void buildSNATRule();
void buildNoNATRule();
virtual void pushRule();
// this method actually adds interfaces to the firewall object

286
src/import/PIXImporterNat.cpp
View File

@ -289,128 +289,186 @@ void PIXImporter::buildSNATRule()
// Parser matches INT_CONST so it can't be anything but integer...
assert (ok);
foreach(GlobalPool pool, global_pools[pool_num])
if (pool_num == 0) buildNoNATRule();
else
{
if (fwbdebug)
foreach(GlobalPool pool, global_pools[pool_num])
{
qDebug() << "NAT command num=" << pool_num;
qDebug() << "nat_a=" << nat_a.c_str()
<< "nat_nm=" << nat_nm.c_str();
qDebug() << "Using pool " << pool.toString();
}
Interface *post_intf = getInterfaceByLabel(pool.pool_interface);
newNATRule();
NATRule *rule = NATRule::cast(current_rule);
Interface *pre_intf = getInterfaceByLabel(prenat_interface);
rule->setAction(NATRule::Translate);
if ( ! nat_a.empty())
{
// makeSrcObj() uses these variables
src_a = nat_a;
src_nm = nat_nm;
RuleElement* osrc = rule->getOSrc();
assert(osrc!=NULL);
FWObject *s = makeSrcObj();
if (s) osrc->addRef( s );
}
ObjectSignature sig(error_tracker);
FWObject *addr = NULL;
if (pool.start == "interface")
{
addr = post_intf;
} else
{
if (pool.start == pool.end)
if (fwbdebug)
{
sig.type_name = Address::TYPENAME;
sig.address = pool.start.c_str();
sig.netmask = pool.netmask.c_str();
qDebug() << "NAT command num=" << pool_num;
qDebug() << "nat_a=" << nat_a.c_str()
<< "nat_nm=" << nat_nm.c_str();
qDebug() << "Using pool " << pool.toString();
}
Interface *post_intf = getInterfaceByLabel(pool.pool_interface);
newNATRule();
NATRule *rule = NATRule::cast(current_rule);
Interface *pre_intf = getInterfaceByLabel(prenat_interface);
rule->setAction(NATRule::Translate);
if ( ! nat_a.empty())
{
// makeSrcObj() uses these variables
src_a = nat_a;
src_nm = nat_nm;
RuleElement* osrc = rule->getOSrc();
assert(osrc!=NULL);
FWObject *s = makeSrcObj();
if (s) osrc->addRef( s );
}
ObjectSignature sig(error_tracker);
FWObject *addr = NULL;
if (pool.start == "interface")
{
addr = post_intf;
} else
{
sig.type_name = AddressRange::TYPENAME;
sig.setAddressRangeStart(pool.start.c_str());
sig.setAddressRangeEnd(pool.end.c_str());
}
addr = commitObject(address_maker->createObject(sig));
}
RuleElement* tsrc = rule->getTSrc();
assert(tsrc!=NULL);
if (addr) tsrc->addRef( addr );
RuleElement *itf_i_re = rule->getItfInb();
assert(itf_i_re!=NULL);
itf_i_re->addRef(pre_intf);
RuleElement *itf_o_re = rule->getItfOutb();
assert(itf_o_re!=NULL);
itf_o_re->addRef(post_intf);
if ( ! nat_acl.empty())
{
UnidirectionalRuleSet *rs = all_rulesets[nat_acl];
if (rs)
{
for(FWObject::iterator rs_it=rs->ruleset->begin();
rs_it!=rs->ruleset->end(); ++rs_it)
if (pool.start == pool.end)
{
PolicyRule *policy_rule = PolicyRule::cast(*rs_it);
if (policy_rule)
{
FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
NATRule *nat_rule = NATRule::cast(
dbroot->create(NATRule::TYPENAME));
nat_rule->duplicate(rule);
RuleElement* osrc = nat_rule->getOSrc();
RuleElement* odst = nat_rule->getODst();
RuleElement* osrv = nat_rule->getOSrv();
/* copy objects from a policy rule into "original"
* rule elements of a nat rule
*
* Src --> OSrc
* Dst --> ODst
* Srv --> OSrv
*/
RuleElement *re = policy_rule->getSrc();
FWObject::iterator it;
for (it=re->begin(); it!=re->end(); ++it)
osrc->addRef(FWReference::getObject(*it));
re = policy_rule->getDst();
for (it=re->begin(); it!=re->end(); ++it)
odst->addRef(FWReference::getObject(*it));
re = policy_rule->getSrv();
for (it=re->begin(); it!=re->end(); ++it)
osrv->addRef(FWReference::getObject(*it));
current_ruleset->ruleset->add(nat_rule);
addStandardImportComment(
nat_rule, QString::fromUtf8(rule_comment.c_str()));
}
sig.type_name = Address::TYPENAME;
sig.address = pool.start.c_str();
sig.netmask = pool.netmask.c_str();
} else
{
sig.type_name = AddressRange::TYPENAME;
sig.setAddressRangeStart(pool.start.c_str());
sig.setAddressRangeEnd(pool.end.c_str());
}
rs->to_be_deleted = true;
addr = commitObject(address_maker->createObject(sig));
}
RuleElement* tsrc = rule->getTSrc();
assert(tsrc!=NULL);
if (addr) tsrc->addRef( addr );
RuleElement *itf_i_re = rule->getItfInb();
assert(itf_i_re!=NULL);
itf_i_re->addRef(pre_intf);
RuleElement *itf_o_re = rule->getItfOutb();
assert(itf_o_re!=NULL);
itf_o_re->addRef(post_intf);
if ( ! nat_acl.empty())
{
natRuleWithACL(rule);
} else
{
// add it to the current ruleset
current_ruleset->ruleset->add(rule);
addStandardImportComment(rule,
QString::fromUtf8(rule_comment.c_str()));
}
} else
{
// add it to the current ruleset
current_ruleset->ruleset->add(rule);
addStandardImportComment(rule,
QString::fromUtf8(rule_comment.c_str()));
}
}
}
void PIXImporter::buildNoNATRule()
{
addMessageToLog(QString("NAT exemption rule (\"nat (interface) 0\" command)"));
if (fwbdebug)
{
qDebug() << "NAT command num=0";
qDebug() << "nat_a=" << nat_a.c_str() << "nat_nm=" << nat_nm.c_str();
}
newNATRule();
NATRule *rule = NATRule::cast(current_rule);
rule->setRuleType(libfwbuilder::NATRule::NONAT);
Interface *pre_intf = getInterfaceByLabel(prenat_interface);
rule->setAction(NATRule::Translate);
if ( ! nat_a.empty())
{
// makeSrcObj() uses these variables
src_a = nat_a;
src_nm = nat_nm;
RuleElement* osrc = rule->getOSrc();
assert(osrc!=NULL);
FWObject *s = makeSrcObj();
if (s) osrc->addRef( s );
}
RuleElement *itf_i_re = rule->getItfInb();
assert(itf_i_re!=NULL);
itf_i_re->addRef(pre_intf);
if ( ! nat_acl.empty())
{
natRuleWithACL(rule);
} else
{
// add it to the current ruleset
current_ruleset->ruleset->add(rule);
addStandardImportComment(rule,
QString::fromUtf8(rule_comment.c_str()));
}
}
void PIXImporter::natRuleWithACL(NATRule *rule)
{
UnidirectionalRuleSet *rs = all_rulesets[nat_acl];
if (rs)
{
for(FWObject::iterator rs_it=rs->ruleset->begin();
rs_it!=rs->ruleset->end(); ++rs_it)
{
PolicyRule *policy_rule = PolicyRule::cast(*rs_it);
if (policy_rule)
{
FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
NATRule *nat_rule = NATRule::cast(
dbroot->create(NATRule::TYPENAME));
nat_rule->duplicate(rule);
RuleElement* osrc = nat_rule->getOSrc();
RuleElement* odst = nat_rule->getODst();
RuleElement* osrv = nat_rule->getOSrv();
/* copy objects from a policy rule into "original"
* rule elements of a nat rule
*
* Src --> OSrc
* Dst --> ODst
* Srv --> OSrv
*/
RuleElement *re = policy_rule->getSrc();
FWObject::iterator it;
for (it=re->begin(); it!=re->end(); ++it)
osrc->addRef(FWReference::getObject(*it));
re = policy_rule->getDst();
for (it=re->begin(); it!=re->end(); ++it)
odst->addRef(FWReference::getObject(*it));
re = policy_rule->getSrv();
for (it=re->begin(); it!=re->end(); ++it)
osrv->addRef(FWReference::getObject(*it));
current_ruleset->ruleset->add(nat_rule);
addStandardImportComment(
nat_rule, QString::fromUtf8(rule_comment.c_str()));
}
}
rs->to_be_deleted = true;
}
}

8
src/res/help/en_US/release_notes_5.0.1.html
View File

@ -247,6 +247,14 @@
</p>
</li>
<li>
<p>
fixes #2679 Policy importer for PIX/ASA could not import "nat
exemption" rule (for example: "nat (inside) 0 access-list
EXEMPT")
</p>
</li>
</ul>

1996
src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb
View File

File diff suppressed because it is too large Load Diff

63
src/unit_tests/PIXImporterTest/test_data/pix7-nat.output
View File

@ -48,32 +48,29 @@ Warning: interface Ethernet6 was not imported because it is in "shutdown" mode
109: filtering rule: access list WEB, action permit
111: filtering rule: access list WEB2, action permit
112: filtering rule: access list WEB2, action permit
114: filtering rule: access list NET1, action permit
142: Global address pool: number 1, interface outside, address range interface-interface, netmask 255.255.255.255
143: Source translation rule ("nat" command)
145: Global address pool: number 2, interface outside, address range 192.0.2.10-192.0.2.10, netmask 255.255.255.255
146: Global address pool: number 2, interface outside, address range 192.0.2.11-192.0.2.15, netmask 255.255.255.255
147: Global address pool: number 2, interface outside, address range 192.0.2.128-192.0.2.128, netmask 255.255.255.240
148: Global address pool: number 2, interface dmz20, address range 10.0.0.128-10.0.0.128, netmask 255.255.255.240
149: Global address pool: number 3, interface outside, address range 192.0.2.20-192.0.2.20, netmask 255.255.255.255
150: Global address pool: number 3, interface outside, address range 192.0.2.30-192.0.2.31, netmask 255.255.255.255
152: Source translation rule ("nat" command)
113: filtering rule: access list EXEMPT, action permit
115: filtering rule: access list NET1, action permit
143: Global address pool: number 1, interface outside, address range interface-interface, netmask 255.255.255.255
144: Source translation rule ("nat" command)
146: Global address pool: number 2, interface outside, address range 192.0.2.10-192.0.2.10, netmask 255.255.255.255
147: Global address pool: number 2, interface outside, address range 192.0.2.11-192.0.2.15, netmask 255.255.255.255
148: Global address pool: number 2, interface outside, address range 192.0.2.128-192.0.2.128, netmask 255.255.255.240
149: Global address pool: number 2, interface dmz20, address range 10.0.0.128-10.0.0.128, netmask 255.255.255.240
150: Global address pool: number 3, interface outside, address range 192.0.2.20-192.0.2.20, netmask 255.255.255.255
151: Global address pool: number 3, interface outside, address range 192.0.2.30-192.0.2.31, netmask 255.255.255.255
153: Source translation rule ("nat" command)
155: Source translation rule ("nat" command)
154: Source translation rule ("nat" command)
156: Source translation rule ("nat" command)
159: Source translation rule ("nat" command)
162: Source translation rule ("nat" command)
164: Destination translation rule ("static" command)
165: Destination translation rule ("static" command)
166: Destination translation rule ("static" command)
167: Destination translation rule ("static" command)
168: Destination translation rule ("static" command)
157: Source translation rule ("nat" command)
160: Source translation rule ("nat" command)
163: Source translation rule ("nat" command)
163: NAT exemption rule ("nat (interface) 0" command)
166: Source translation rule ("nat" command)
170: Destination translation rule ("static" command)
171: Destination translation rule ("static" command)
172: Destination translation rule ("static" command)
173: Destination translation rule ("static" command)
174: Destination translation rule ("static" command)
175: Destination translation rule ("static" command)
176: Destination translation rule ("static" command)
177: Destination translation rule ("static" command)
178: Destination translation rule ("static" command)
@ -119,17 +116,23 @@ Warning: interface Ethernet6 was not imported because it is in "shutdown" mode
218: Destination translation rule ("static" command)
219: Destination translation rule ("static" command)
220: Destination translation rule ("static" command)
221: Destination translation rule ("static" command)
222: Destination translation rule ("static" command)
223: Destination translation rule ("static" command)
224: Destination translation rule ("static" command)
225: Destination translation rule ("static" command)
226: Destination translation rule ("static" command)
227: Destination translation rule ("static" command)
229: Destination translation rule ("static" command)
231: Destination translation rule ("static" command)
232: Destination translation rule ("static" command)
235: Interface Ethernet0.101 ruleset outside_in direction 'in'
236: Interface Ethernet1 ruleset inside_in direction 'in'
237: Interface Ethernet1 ruleset inside_out direction 'out'
278: Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
278: filtering rule: access list ssh_commands_inside, action permit
279: Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
279: filtering rule: access list ssh_commands_inside, action permit
280: Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in'
280: filtering rule: access list ssh_commands_outside, action permit
233: Destination translation rule ("static" command)
235: Destination translation rule ("static" command)
238: Destination translation rule ("static" command)
241: Interface Ethernet0.101 ruleset outside_in direction 'in'
242: Interface Ethernet1 ruleset inside_in direction 'in'
243: Interface Ethernet1 ruleset inside_out direction 'out'
284: Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
284: filtering rule: access list ssh_commands_inside, action permit
285: Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
285: filtering rule: access list ssh_commands_inside, action permit
286: Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in'
286: filtering rule: access list ssh_commands_outside, action permit

6
src/unit_tests/PIXImporterTest/test_data/pix7-nat.test
View File

@ -110,6 +110,7 @@ access-list WEB permit tcp 10.1.1.0 255.255.255.0 4.2.2.1 255.255.255.255 eq 80
access-list WEB2 permit tcp 192.168.2.0 255.255.255.0 4.2.2.1 255.255.255.255 eq 80
access-list WEB2 permit tcp 192.168.3.0 255.255.255.0 4.2.2.1 255.255.255.255 eq 80
access-list EXEMPT permit ip 192.168.4.0 255.255.255.0 any
access-list NET1 permit ip host 10.1.1.20 host 4.2.2.1
@ -158,8 +159,13 @@ nat (inside) 1 access-list WEB2
! multiple address blocks in pool 3 and multiple lines in access list WEB2
nat (inside) 3 access-list WEB2
! nat exemption example
nat (inside) 0 access-list EXEMPT
! example of nat () 1 0 0 command
nat (inside) 3 0 0
static (inside,dmz20) 10.0.0.16 10.1.1.16 netmask 255.255.255.240
static (inside,dmz20) 10.0.0.100 10.1.1.100 netmask 255.255.255.255