diff --git a/doc/ChangeLog b/doc/ChangeLog index dc9f2bcd0..710b1c1fe 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,9 @@ 2011-04-14 vadim + * CompilerDriver_pix_run.cpp (pixSecurityLevelChecks): see #2351 + Security levels of ASA and FWSM interfaces do not have to be + unique. Removed check that enforced this. + * IPTImporterRun.cpp (run): see #2275 Importer for iptables now correctly handles both "intrapositioned" ("-s ! address") and "extrapositioned" ("! -s address") negation. diff --git a/src/cisco_lib/CompilerDriver_pix_run.cpp b/src/cisco_lib/CompilerDriver_pix_run.cpp index 15f8731cd..a0d1a59e7 100644 --- a/src/cisco_lib/CompilerDriver_pix_run.cpp +++ b/src/cisco_lib/CompilerDriver_pix_run.cpp @@ -638,20 +638,21 @@ void CompilerDriver_pix::pixSecurityLevelChecks(Firewall *fw, iface2->getOptionsObject()->getBool("cluster_interface")) continue; - if (iface->getSecurityLevel()==iface2->getSecurityLevel()) - { - QString err( - "Security level of each interface should be unique, " - "however interfaces %1 (%2) and %3 (%4)" - " have the same security level." - ); - abort(fw, NULL, NULL, - err.arg(iface->getName().c_str()) - .arg(iface->getLabel().c_str()) - .arg(iface2->getName().c_str()) - .arg(iface2->getLabel().c_str()).toStdString()); - throw FatalErrorInSingleRuleCompileMode(); - } + // see #2351. Security levels do not have to be unique + // if (iface->getSecurityLevel()==iface2->getSecurityLevel()) + // { + // QString err( + // "Security level of each interface should be unique, " + // "however interfaces %1 (%2) and %3 (%4)" + // " have the same security level." + // ); + // abort(fw, NULL, NULL, + // err.arg(iface->getName().c_str()) + // .arg(iface->getLabel().c_str()) + // .arg(iface2->getName().c_str()) + // .arg(iface2->getLabel().c_str()).toStdString()); + // throw FatalErrorInSingleRuleCompileMode(); + // } if (iface->getLabel()==iface2->getLabel()) {