see #2265 "ASA 8.3 acl import: access-list commands using two
named objects or object-groups", see #2290 "Access lists that
include mix of service objects and inline service definitions are
not properly imported". To import access-list command that matches
both source and destination tcp/udp ports and uses object-group in
either match I should create a new service group with a collection
of TCP or UDP service objects matching all combinations of source
and destination port ranges defined by the rule. This should work
when one or both matches use object-group in combination with
inline port match.
importer enounters access-list command that matches tcp or udp
ports with "neq" port operators in both source and
destination. This configuration is not supported by import at this
time.
3213019 "FWSM Network zone and IPv6". Currently we do not support
ipv6 with PIX/ASA and FWSM. If user creates a group to be used as
network zone object and places ipv6 address in it, this address
should be ignored while compiling the policy but this should not
be an error.
access-list destination address and original service not set".
"Nat" and "static" commands that use access-list should import all
components of the access-list command (source, destination and
service/protocol).
nat rule has wrong interface defined". Importer mixed up inbound
and outbound interfaces in NAT commands created from combination
of "global" and "nat" PIX/ASA commands.
ends up with rules being created with duplicate rule
numbers". Also see #2172 "Crash when deleting rule - related to
#2171". When user deleted the last rule in a rule set, then used
Undo to restore it, the program lost track of rules in the rule
set and became unstable.
same service object-group that matches some tcp or udp ports can
be used to match both source and destination ports in an
access-list command. Importer should recognize when such group
is used to match source ports and create mirrored group with
potentially mirrored service objects. This should work when group
includes other groups.
test cases in asa8.3-acl.test
and udp port names are recognized on import; also since PIX/ASA
converts udp port numbersin "show run" output to the same names
as if they were tcp, using the same name mapping table.
ASA access-lists that are not applied in an access-group". Policy
rule set will be created and populated with rules found in the
corresponding access-list even if this access-list is not applied
to an interface with access-group command.
the parser for PIX/ASA configs to make it recognize object-group
and named object names used to define source port, destination
address or destination port in "access-list ... tcp|udp" rules,
including ambiguous situation when an object-group appears after
source address specification because this group can define either
source port or destination address.
support for import of object-group and service-object statements
of type "tcp-udp" (these get imported as service group object with
two tcp and udp service objects).
"importer should not creates objects while still in the middle of
the wizard". Importer wizard creates new objects in the object
tree only when user clicks Finish and abandons results if they
click Cancel.
import of Cisco IOS and PIX/ASA service configurations using port
operation "neq". Since object model in fwbuilder does not provide
direct support for "port not equal to" expression, this
configuration is conveted into two tcp or udp service objects with
port range extending below and above specified port and these two
service objects are then placed in a group.
behavior: configuration import is aborted with an appropriate
error message in the log when program enounters protocol or
service name that it does not recognize and can not convert to
protocol or port number. We used to replace port number with some
placeholder (usually 0) and mark rule as "bad" by coloring it red
and adding comment.
de-duplication during import process". Also SourceForge bug
2980566 "Import from hostsfile may cause duplicate Objects" and
3030072 "remove duplicates during any import". Now the program can
optionally re-use existing objects from both Standard Objects and
user-defined libraries when it imports existing firewall
configuration. This works for any firewall platform for which we
support policy import.
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.
* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.
* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
