* CompilerDriver_pix_run.cpp (pixSecurityLevelChecks): see #2351

Security levels of ASA and FWSM interfaces do not have to be unique. Removed check that enforced this.
2026-03-21 10:47:16 +01:00 · 2011-04-14 18:58:36 -07:00 · 2011-04-14 18:58:36 -07:00 · 14258139ee
commit 14258139ee
parent dbb1e8ab57
2 changed files with 19 additions and 14 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,9 @@
 2011-04-14  vadim  <vadim@netcitadel.com>

+	* CompilerDriver_pix_run.cpp (pixSecurityLevelChecks): see #2351
+	Security levels of ASA and FWSM interfaces do not have to be
+	unique. Removed check that enforced this.
+
 	* IPTImporterRun.cpp (run): see #2275 Importer for iptables now
 	correctly handles both "intrapositioned" ("-s ! address") and
 	"extrapositioned" ("! -s address") negation.
--- a/src/cisco_lib/CompilerDriver_pix_run.cpp
+++ b/src/cisco_lib/CompilerDriver_pix_run.cpp
@ -638,20 +638,21 @@ void CompilerDriver_pix::pixSecurityLevelChecks(Firewall *fw,
                iface2->getOptionsObject()->getBool("cluster_interface"))
                continue;

-            if (iface->getSecurityLevel()==iface2->getSecurityLevel())
-            {
-                QString err(
-                    "Security level of each interface should be unique, "
-                    "however interfaces %1 (%2) and %3 (%4)"
-                    " have the same security level."
-                );
-                abort(fw, NULL, NULL,
-                      err.arg(iface->getName().c_str())
-                      .arg(iface->getLabel().c_str())
-                      .arg(iface2->getName().c_str())
-                      .arg(iface2->getLabel().c_str()).toStdString());
-                throw FatalErrorInSingleRuleCompileMode();
-            }
+            // see #2351. Security levels do not have to be unique
+            // if (iface->getSecurityLevel()==iface2->getSecurityLevel())
+            // {
+            //     QString err(
+            //         "Security level of each interface should be unique, "
+            //         "however interfaces %1 (%2) and %3 (%4)"
+            //         " have the same security level."
+            //     );
+            //     abort(fw, NULL, NULL,
+            //           err.arg(iface->getName().c_str())
+            //           .arg(iface->getLabel().c_str())
+            //           .arg(iface2->getName().c_str())
+            //           .arg(iface2->getLabel().c_str()).toStdString());
+            //     throw FatalErrorInSingleRuleCompileMode();
+            // }

            if (iface->getLabel()==iface2->getLabel())
            {