2009-03-19 vadim <vadim@vk.crocodile.org>

* iosacl.cpp (safetyNetInstall): fixed bug #2694146: "IPv6
temporary ACL blocks ICMPv6". Temporary ipv6 access list created
for the "safety net install" should permit icmp.

build_num

@@ -1 +1 @@
-#define BUILD_NUM 785
+#define BUILD_NUM 786

doc/ChangeLog

@@ -1,12 +1,19 @@
+2009-03-19  vadim  <vadim@vk.crocodile.org>
+
+	* iosacl.cpp (safetyNetInstall): fixed bug #2694146: "IPv6
+	temporary ACL blocks ICMPv6". Temporary ipv6 access list created
+	for the "safety net install" should permit icmp.
+
 2009-03-18  vadim  <vadim@vk.crocodile.org>
 
-	* iosacl.cpp (safetyNetInstall): fixed bug (no #): when "safety
-	net install" option is used, temporary access list must be
-	generated only once even when firewall object has multiple
-	rulesets.
+	* iosacl.cpp (safetyNetInstall): fixed bug #2694440 "Multiple
+	policies cause multiple temporary ACLs": when "safety net install"
+	option is used, temporary access list must be generated only once
+	even when firewall object has multiple rulesets.
 
 	* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
-	bug (no #): temporary access list created for IOS when option
+	bug #2694432 "IOS ACL syntax error with IPv6 host addresses &
+	"safety net"": temporary access list created for IOS when option
 	"safety net install" is used and ipv6 address is provided should
 	use keyword "host" if provided address does not specify netmask.
 

src/iosacl/iosacl.cpp

@@ -240,6 +240,7 @@ string safetyNetInstall(Firewall *fw)
                     output << "  permit ipv6 " << addr << " any " << endl;
                 else
                     output << "  permit ipv6 host " << addr << " any " << endl;
+                output << "  permit icmp any any " << endl;
                 output << "  deny ipv6 any any " << endl;
                 output << "exit" << endl;
                 output << endl;

test/iosacl/objects-for-regression-tests.fwb

@@ -172,7 +172,7 @@
       <ServiceGroup id="id4511636C23682_userservices" name="Users" comment="" ro="False"/>
     </ServiceGroup>
     <ObjectGroup id="id4511637423682" name="Firewalls" comment="" ro="False">
-      <Firewall id="id46412B5226577" host_OS="ios" inactive="False" lastCompiled="1230498567" lastInstalled="0" lastModified="1237438960" platform="iosacl" version="12.x" name="testios1" comment="" ro="False">
+      <Firewall id="id46412B5226577" host_OS="ios" inactive="False" lastCompiled="1230498567" lastInstalled="0" lastModified="1237473570" platform="iosacl" version="12.x" name="testios1" comment="" ro="False">
         <NAT id="id46412B5626577" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
         <Policy id="id46412B5526577" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <PolicyRule id="id464154BB29061" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="anti-spoofing">
@@ -637,7 +637,7 @@
           </PolicyRule>
         </Policy>
         <Routing id="id46412B5726577" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
-        <Interface id="id46412B5826577" bridgeport="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
+        <Interface id="id46412B5826577" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
           <IPv4 id="id46412B5926577" name="testios1:ethernet0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
         </Interface>
         <Interface id="id46412B5A26577" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True" name="ethernet1" comment="" ro="False">
@@ -1933,7 +1933,7 @@
           <Option name="verify_interfaces">true</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id19020X65694" host_OS="ios" inactive="False" lastCompiled="1237437124" lastInstalled="0" lastModified="1237437119" platform="iosacl" version="12.x" name="firewall-ipv6-1" comment="" ro="False">
+      <Firewall id="id19020X65694" host_OS="ios" inactive="False" lastCompiled="1237437124" lastInstalled="0" lastModified="1237473586" platform="iosacl" version="12.x" name="firewall-ipv6-1" comment="" ro="False">
         <NAT id="id19428X65694" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
         <Policy id="id19026X65694" name="fw-ipv6-1-ipv4" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
           <PolicyRule id="id19054X65694" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
@@ -2266,7 +2266,7 @@
           </PolicyRule>
         </Policy>
         <Routing id="id19429X65694" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
-        <Interface id="id19430X65694" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
+        <Interface id="id19430X65694" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
           <IPv4 id="id19431X65694" name="firewall-ipv6-1:Ethernet0/0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
           <IPv6 id="id19432X65694" name="firewall-ipv6-1:Ethernet0/0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
         </Interface>