"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "go/testdata/nat.t" between
Netspoc-6.026.tar.gz and Netspoc-6.027.tar.gz

About: NetSPoC is a network security policy compiler (using its own description language) to manage all the packet filter devices inside your network topology.

nat.t  (Netspoc-6.026):nat.t  (Netspoc-6.027)
skipping to change at line 253 skipping to change at line 253
permit src = user; dst = network:Test; prt = tcp 81; permit src = user; dst = network:Test; prt = tcp 81;
} }
=END= =END=
# Only first error is shown. # Only first error is shown.
=ERROR= =ERROR=
Error: network:Test is hidden by nat:C in rule Error: network:Test is hidden by nat:C in rule
permit src=any:[network:X]; dst=network:Test; prt=tcp 80; of service:s1 permit src=any:[network:X]; dst=network:Test; prt=tcp 80; of service:s1
=END= =END=
############################################################ ############################################################
=TITLE=Multiple hosts in hidden network
=INPUT=
network:n1 = {
ip = 10.1.1.0/24;
nat:n1 = { hidden; }
host:h13 = { ip = 10.1.1.3; }
host:h14 = { ip = 10.1.1.4; }
}
network:n2 = { ip = 10.1.2.0/24; }
network:n3 = { ip = 10.1.3.0/24; }
network:n4 = {
ip = 10.1.4.0/24;
nat:n4 = { hidden; }
host:h43 = { ip = 10.1.4.3; }
host:h44 = { ip = 10.1.4.4; }
}
router:r1 = {
interface:n1 = { ip = 10.1.1.1; }
interface:n2 = { ip = 10.1.2.1; bind_nat = n1;
}
}
router:r2 = {
managed;
model = IOS;
interface:n2 = { ip = 10.1.2.2; hardware = n2; }
interface:n3 = { ip = 10.1.3.1; hardware = n3; }
}
router:r3 = {
interface:n3 = { ip = 10.1.3.2; bind_nat = n4; }
interface:n4 = { ip = 10.1.4.1; }
}
service:s1 = {
user = host:h13;
permit src = user; dst = host:h43; prt = tcp 82;
}
service:s2 = {
user = host:h13;
permit src = user; dst = host:h43; prt = tcp 83;
}
service:s3 = {
user = host:h14;
permit src = user; dst = host:h44; prt = tcp 84;
}
=END=
# Only first error is shown.
=ERROR=
Error: host:h13 is hidden by nat:n1 in rule
permit src=host:h13; dst=host:h43; prt=tcp 82; of service:s1
Error: host:h43 is hidden by nat:n4 in rule
permit src=host:h13; dst=host:h43; prt=tcp 82; of service:s1
=END=
############################################################
=TITLE=NAT network is undeclared subnet =TITLE=NAT network is undeclared subnet
=INPUT= =INPUT=
network:n1 = { network:n1 = {
ip = 10.1.1.0/24; ip = 10.1.1.0/24;
nat:n1 = { hidden; } nat:n1 = { hidden; }
has_subnets; has_subnets;
host:h65 = { ip = 10.1.1.65; } host:h65 = { ip = 10.1.1.65; }
host:h66 = { ip = 10.1.1.66; } host:h66 = { ip = 10.1.1.66; }
} }
network:n1sub = { ip = 10.1.1.64/26; nat:n1sub = { ip = 10.1.2.64/26; } } network:n1sub = { ip = 10.1.1.64/26; nat:n1sub = { ip = 10.1.2.64/26; } }
skipping to change at line 1660 skipping to change at line 1714
permit src=host:h1; dst=any:[network:n4]; prt=tcp 80; of service:s1 permit src=host:h1; dst=any:[network:n4]; prt=tcp 80; of service:s1
Error: network:n2 is hidden by nat:h2 in rule Error: network:n2 is hidden by nat:h2 in rule
permit src=network:n2; dst=any:[network:n4]; prt=tcp 80; of service:s1 permit src=network:n2; dst=any:[network:n4]; prt=tcp 80; of service:s1
Error: host:h1 needs static translation for nat:d1 at router:r2 to be valid in r ule Error: host:h1 needs static translation for nat:d1 at router:r2 to be valid in r ule
permit src=host:h1; dst=any:[network:n4]; prt=tcp 80; of service:s1 permit src=host:h1; dst=any:[network:n4]; prt=tcp 80; of service:s1
Error: network:n3 is hidden by nat:h3 in rule Error: network:n3 is hidden by nat:h3 in rule
permit src=network:n3; dst=any:[network:n4]; prt=tcp 80; of service:s1 permit src=network:n3; dst=any:[network:n4]; prt=tcp 80; of service:s1
=END= =END=
############################################################ ############################################################
=TITLE=Multiple rules and objects with dynamic NAT
# Check correct caching of results.
=INPUT=
network:n1 = {
ip = 10.1.1.0/24;
nat:n1 = { ip = 1.9.2.0/27; dynamic; }
host:h13 = { ip = 10.1.1.3; }
host:h14 = { ip = 10.1.1.4; }
host:h15 = { ip = 10.1.1.5; nat:n1 = { ip = 1.9.2.25; } }
}
network:n2 = { ip = 10.1.2.0/24; }
network:n3 = { ip = 10.1.3.0/24; }
network:n4 = {
ip = 10.1.4.0/24;
nat:n4 = { ip = 1.9.4.0/27; dynamic; }
host:h43 = { ip = 10.1.4.3; }
host:h44 = { ip = 10.1.4.4; }
}
router:r1 = {
interface:n1 = { ip = 10.1.1.1; }
interface:n2 = { ip = 10.1.2.1; bind_nat = n1;
}
}
router:r2 = {
managed;
model = IOS;
interface:n2 = { ip = 10.1.2.2; hardware = n2; }
interface:n3 = { ip = 10.1.3.1; hardware = n3; }
}
router:r3 = {
interface:n3 = { ip = 10.1.3.2; bind_nat = n4; }
interface:n4 = { ip = 10.1.4.1; nat:n4 = { ip = 1.9.4.21; } }
}
service:s1 = {
user = host:h15;
permit src = user; dst = interface:r3.n4; prt = tcp 81;
}
service:s2 = {
user = host:h13;
permit src = user; dst = host:h43; prt = tcp 82;
}
service:s3 = {
user = host:h13;
permit src = user; dst = host:h43; prt = tcp 83;
}
service:s4 = {
user = host:h14;
permit src = user; dst = host:h44; prt = tcp 84;
}
=END=
=ERROR=
Error: host:h13 needs static translation for nat:n1 at router:r2 to be valid in
rule
permit src=host:h13; dst=host:h43; prt=tcp 82; of service:s2
Error: host:h43 needs static translation for nat:n4 at router:r2 to be valid in
rule
permit src=host:h13; dst=host:h43; prt=tcp 82; of service:s2
Error: host:h14 needs static translation for nat:n1 at router:r2 to be valid in
rule
permit src=host:h14; dst=host:h44; prt=tcp 84; of service:s4
Error: host:h44 needs static translation for nat:n4 at router:r2 to be valid in
rule
permit src=host:h14; dst=host:h44; prt=tcp 84; of service:s4
=END=
############################################################
=TITLE=Interface with dynamic NAT applied at same device =TITLE=Interface with dynamic NAT applied at same device
=INPUT= =INPUT=
network:a = { ip = 10.1.1.0/24;} network:a = { ip = 10.1.1.0/24;}
router:r1 = { router:r1 = {
managed; managed;
model = IOS; model = IOS;
routing = manual; routing = manual;
interface:a = {ip = 10.1.1.1; hardware = a;} interface:a = {ip = 10.1.1.1; hardware = a;}
interface:t = {ip = 10.4.4.1; hardware = t;} interface:t = {ip = 10.4.4.1; hardware = t;}
} }
skipping to change at line 2112 skipping to change at line 2229
interface:t1 = { bind_nat = h; } interface:t1 = { bind_nat = h; }
interface:n2; interface:n2;
} }
network:n2 = { ip = 10.1.2.0/24; } network:n2 = { ip = 10.1.2.0/24; }
service:test = { service:test = {
user = network:n1; user = network:n1;
permit src = user; dst = network:n2; prt = proto 50; permit src = user; dst = network:n2; prt = proto 50;
} }
=END= =END=
=ERROR= =ERROR=
Error: Must not apply hidden NAT 'h' on path Error: Must not apply hidden NAT 'h' to src of rule
of rule
permit src=network:n1; dst=network:n2; prt=proto 50; of service:test permit src=network:n1; dst=network:n2; prt=proto 50; of service:test
NAT 'h' is active at NAT 'h' is active at
- interface:r1.t1 - interface:r1.t1
- interface:u1.t1 - interface:u1.t1
Add pathrestriction to exclude this path Add pathrestriction to exclude this path
=END= =END=
############################################################ ############################################################
=TITLE=Ignore hidden network in static routes =TITLE=Ignore hidden network in static routes
=INPUT= =INPUT=
skipping to change at line 2284 skipping to change at line 2400
interface:n2 = { ip = 10.2.2.2; hardware = n2; } interface:n2 = { ip = 10.2.2.2; hardware = n2; }
interface:n1 = { ip = 10.1.1.2; hardware = n1; } interface:n1 = { ip = 10.1.1.2; hardware = n1; }
} }
service:test = { service:test = {
user = network:n1; user = network:n1;
permit src = user; dst = network:n2; prt = tcp 80; permit src = user; dst = network:n2; prt = tcp 80;
} }
=END= =END=
=INPUT=${input} =INPUT=${input}
=ERROR= =ERROR=
Error: Must not apply hidden NAT 'h' on path Error: Must not apply hidden NAT 'h' to src of rule
of rule
permit src=network:n1; dst=network:n2; prt=tcp 80; of service:test permit src=network:n1; dst=network:n2; prt=tcp 80; of service:test
NAT 'h' is active at NAT 'h' is active at
- interface:r1.t1 - interface:r1.t1
- interface:r2.t1 - interface:r2.t1
- interface:r2.t2 - interface:r2.t2
- interface:r3.t2 - interface:r3.t2
Add pathrestriction to exclude this path Add pathrestriction to exclude this path
=END= =END=
############################################################ ############################################################
=TITLE=Traverse hidden NAT domain in loop, 1x unmanaged bind_nat =TITLE=Traverse hidden NAT domain in loop, 1x unmanaged bind_nat
=INPUT=${input} =INPUT=${input}
=SUBST=/managed; #r1// =SUBST=/managed; #r1//
=ERROR= =ERROR=
Error: Must not apply hidden NAT 'h' on path Error: Must not apply hidden NAT 'h' to src of rule
of rule
permit src=network:n1; dst=network:n2; prt=tcp 80; of service:test permit src=network:n1; dst=network:n2; prt=tcp 80; of service:test
NAT 'h' is active at NAT 'h' is active at
- interface:r1.t1 - interface:r1.t1
- interface:r2.t1 - interface:r2.t1
- interface:r2.t2 - interface:r2.t2
- interface:r3.t2 - interface:r3.t2
Add pathrestriction to exclude this path Add pathrestriction to exclude this path
=END= =END=
############################################################ ############################################################
=TITLE=Traverse hidden NAT domain in loop, 2x unmanaged bind_nat =TITLE=Traverse hidden NAT domain in loop, 2x unmanaged bind_nat
=INPUT=${input} =INPUT=${input}
=SUBST=/managed; #r1// =SUBST=/managed; #r1//
=SUBST=/managed; #r3// =SUBST=/managed; #r3//
=ERROR= =ERROR=
Error: Must not apply hidden NAT 'h' on path Error: Must not apply hidden NAT 'h' to src of rule
of rule
permit src=network:n1; dst=network:n2; prt=tcp 80; of service:test permit src=network:n1; dst=network:n2; prt=tcp 80; of service:test
NAT 'h' is active at NAT 'h' is active at
- interface:r1.t1 - interface:r1.t1
- interface:r2.t1 - interface:r2.t1
- interface:r2.t2 - interface:r2.t2
- interface:r3.t2 - interface:r3.t2
Add pathrestriction to exclude this path Add pathrestriction to exclude this path
=END= =END=
############################################################ ############################################################
=TITLE=Traverse dynamic NAT domain in loop =TITLE=Traverse dynamic NAT domain in loop
=INPUT=${input} =INPUT=${input}
=SUBST=|hidden;|ip = 10.9.9.0/24; dynamic;| =SUBST=|hidden;|ip = 10.9.9.0/24; dynamic;|
=ERROR= =ERROR=
Error: Must not apply dynamic NAT 'h' on path Error: Must not apply dynamic NAT 'h' to src of rule
of rule
permit src=network:n1; dst=network:n2; prt=tcp 80; of service:test permit src=network:n1; dst=network:n2; prt=tcp 80; of service:test
NAT 'h' is active at NAT 'h' is active at
- interface:r1.t1 - interface:r1.t1
- interface:r2.t1 - interface:r2.t1
- interface:r2.t2 - interface:r2.t2
- interface:r3.t2 - interface:r3.t2
Add pathrestriction to exclude this path Add pathrestriction to exclude this path
=END= =END=
############################################################ ############################################################
skipping to change at line 2385 skipping to change at line 2497
service:s1 = { service:s1 = {
user = network:n1; user = network:n1;
permit src = user; dst = network:n2; prt = tcp 80; permit src = user; dst = network:n2; prt = tcp 80;
} }
service:s2 = { service:s2 = {
user = network:n1; user = network:n1;
permit src = user; dst = network:n3; prt = tcp 81; permit src = user; dst = network:n3; prt = tcp 81;
} }
=END= =END=
=ERROR= =ERROR=
Error: Must not apply hidden NAT 'h' on path Error: Must not apply hidden NAT 'h' to src of rule
of rule
permit src=network:n1; dst=network:n3; prt=tcp 81; of service:s2 permit src=network:n1; dst=network:n3; prt=tcp 81; of service:s2
NAT 'h' is active at NAT 'h' is active at
- interface:r3.n4 - interface:r3.n4
- interface:r4.n4 - interface:r4.n4
Add pathrestriction to exclude this path Add pathrestriction to exclude this path
=END= =END=
############################################################ ############################################################
=TITLE=Mixed valid and invalid dynamic NAT =TITLE=Mixed valid and invalid dynamic NAT
=INPUT= =INPUT=
network:n1 = { ip = 10.1.1.0/24; network:n1 = { ip = 10.1.1.0/24;
nat:d = { ip = 10.9.9.0/27; dynamic; } nat:d = { ip = 10.9.9.0/27; dynamic; }
host:h10 = { ip = 10.1.1.10; nat:d = { ip = 10.9.9.3; } } host:h10 = { ip = 10.1.1.10; nat:d = { ip = 10.9.9.10; } }
} }
network:n2 = { ip = 10.1.2.0/24; } network:n2 = { ip = 10.1.2.0/24; }
network:n3 = { ip = 10.1.3.0/24; } network:n3 = { ip = 10.1.3.0/24; }
network:n4 = { ip = 10.1.4.0/24; } network:n4 = { ip = 10.1.4.0/24; }
router:r1 = { router:r1 = {
managed; managed;
model = ASA; model = ASA;
interface:n1 = { ip = 10.1.1.1; hardware = n1; } interface:n1 = { ip = 10.1.1.1; hardware = n1; nat:d = { ip = 10.9.9.1; } }
interface:n2 = { ip = 10.1.2.1; hardware = n2; } interface:n2 = { ip = 10.1.2.1; hardware = n2; }
} }
router:r2 = { router:r2 = {
interface:n2 = { ip = 10.1.2.2; hardware = n2; } interface:n2 = { ip = 10.1.2.2; hardware = n2; }
interface:n3 = { ip = 10.1.3.1; hardware = n3; } interface:n3 = { ip = 10.1.3.1; hardware = n3; }
} }
router:r3 = { router:r3 = {
managed; managed;
model = ASA; model = ASA;
interface:n3 = { ip = 10.1.3.2; hardware = n3; } interface:n3 = { ip = 10.1.3.2; hardware = n3; }
interface:n4 = { ip = 10.1.4.1; hardware = n4; bind_nat = d; } interface:n4 = { ip = 10.1.4.1; hardware = n4; bind_nat = d; }
} }
router:r4 = { router:r4 = {
interface:n4 = { ip = 10.1.4.2; hardware = n4; bind_nat = d; } interface:n4 = { ip = 10.1.4.2; hardware = n4; bind_nat = d; }
interface:n1 = { ip = 10.1.1.2; hardware = n1; } interface:n1 = { ip = 10.1.1.2; hardware = n1; nat:d = { ip = 10.9.9.2; } }
} }
pathrestriction:p = interface:r2.n3, interface:r4.n1; pathrestriction:p = interface:r2.n3, interface:r4.n1;
service:s1 = { service:s1 = {
user = network:n3;
permit src = user; dst = host:h10; prt = tcp 81;
}
service:s2 = {
user = network:n2; user = network:n2;
permit src = user; dst = host:h10; prt = tcp 80; permit src = user; dst = network:n1; prt = tcp 82;
} }
service:s2 = { service:s3 = {
user = network:n3; user = network:n3;
permit src = user; dst = host:h10; prt = tcp 81; permit src = user; dst = network:n1; prt = tcp 83;
} }
=END= =END=
=ERROR= =ERROR=
Error: Must not apply dynamic NAT 'd' on path Error: Must not apply dynamic NAT 'd' to dst of rule
of reversed rule permit src=network:n3; dst=network:n1; prt=tcp 83; of service:s3
permit src=network:n3; dst=host:h10; prt=tcp 81; of service:s2
NAT 'd' is active at NAT 'd' is active at
- interface:r3.n4 - interface:r3.n4
- interface:r4.n4 - interface:r4.n4
Add pathrestriction to exclude this path Add pathrestriction to exclude this path
=END= =END=
############################################################ ############################################################
=TITLE=Inconsistent NAT in loop (1) =TITLE=Inconsistent NAT in loop (1)
=INPUT= =INPUT=
network:a = {ip = 10.1.13.0/24; nat:h = { hidden; }} network:a = {ip = 10.1.13.0/24; nat:h = { hidden; }}
 End of changes. 17 change blocks. 
21 lines changed or deleted 140 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)