see #1920 Setting host interface to unnumbered after it has been assigned IP address doesnt have desired effect

2026-03-20 18:27:16 +01:00 · 2011-02-20 18:03:21 -08:00 · 2011-02-20 18:03:21 -08:00 · e9e7f89cf2
commit e9e7f89cf2
parent 37ab989922
40 changed files with 105 additions and 40 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,11 @@
+2011-02-20  vadim  <vadim@netcitadel.com>
+
+	* Compiler.cpp (_expand_interface): fixes #1920 "Setting host
+	interface to unnumbered after it has been assigned IP address
+	doesn't have desired effect". Compiler still used ip addresses
+	that belonged to the interface even if it switchd to "unnumbered".
+	These children address objects should be ignored.
+
 2011-02-19  vadim  <vadim@netcitadel.com>

 	* NATCompiler_pix.cpp (processNext): see #2098 Added support for
--- a/src/libfwbuilder/src/fwcompiler/Compiler.cpp
+++ b/src/libfwbuilder/src/fwcompiler/Compiler.cpp
@ -455,7 +455,9 @@ void Compiler::_expand_interface(Rule *rule,
            continue;
        }

-        if (Address::cast(o)!=NULL && MatchesAddressFamily(o)) ol.push_back(o);
+        if ( ! iface->isUnnumbered() &&
+             Address::cast(o)!=NULL &&
+             MatchesAddressFamily(o)) ol.push_back(o);
    }

    if (expand_cluster_interfaces_fully && iface->isFailoverInterface())
--- a/test/pix/cluster1-1_pix1.fw.orig
+++ b/test/pix/cluster1-1_pix1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:22 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:19 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/cluster1-1_pix2.fw.orig
+++ b/test/pix/cluster1-1_pix2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:22 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:19 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/cluster1_pix1.fw.orig
+++ b/test/pix/cluster1_pix1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:21 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:18 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/cluster1_pix2.fw.orig
+++ b/test/pix/cluster1_pix2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:22 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:19 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall.fw.orig
+++ b/test/pix/firewall.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:02 2011 PST by vadim
+!  Generated Sun Feb 20 18:00:59 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall1.fw.orig
+++ b/test/pix/firewall1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:02 2011 PST by vadim
+!  Generated Sun Feb 20 18:00:58 2011 PST by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
--- a/test/pix/firewall10.fw.orig
+++ b/test/pix/firewall10.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:03 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:00 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall11.fw.orig
+++ b/test/pix/firewall11.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:03 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:00 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall12.fw.orig
+++ b/test/pix/firewall12.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:04 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:01 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall13.fw.orig
+++ b/test/pix/firewall13.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:04 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:01 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall14.fw.orig
+++ b/test/pix/firewall14.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:05 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:02 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall2.fw.orig
+++ b/test/pix/firewall2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:44:51 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:02 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall20.fw.orig
+++ b/test/pix/firewall20.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:06 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:03 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall21-1.fw.orig
+++ b/test/pix/firewall21-1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:08 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:04 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall21.fw.orig
+++ b/test/pix/firewall21.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:07 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:03 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall22.fw.orig
+++ b/test/pix/firewall22.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:08 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:04 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall23.fw.orig
+++ b/test/pix/firewall23.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:09 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:05 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall3.fw.orig
+++ b/test/pix/firewall3.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:09 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:05 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall33.fw.orig
+++ b/test/pix/firewall33.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:10 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:06 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall34.fw.orig
+++ b/test/pix/firewall34.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:10 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:07 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@ -74,6 +74,61 @@ object-group network id16988X10208.dst.net.0
 exit

 object-group network id4390C25825682.dst.net.0
+  network-object 58.33.181.83 255.255.255.255 
+  network-object 58.53.82.190 255.255.255.255 
+  network-object 58.231.13.78 255.255.255.255 
+  network-object host 61.150.47.112 
+  network-object 61.184.14.102 255.255.255.255 
+  network-object 64.106.85.186 255.255.255.255 
+  network-object 70.228.60.100 255.255.255.255 
+  network-object 80.51.236.6 255.255.255.255 
+  network-object 80.243.72.149 255.255.255.255 
+  network-object 80.249.77.34 255.255.255.255 
+  network-object 81.2.36.254 255.255.255.255 
+  network-object 81.196.74.125 255.255.255.255 
+  network-object 82.77.37.174 255.255.255.255 
+  network-object 82.117.221.205 255.255.255.255 
+  network-object 82.143.196.17 255.255.255.255 
+  network-object 84.90.8.198 255.255.255.255 
+  network-object 151.8.224.178 255.255.255.255 
+  network-object 168.156.76.20 255.255.255.255 
+  network-object 193.207.126.36 255.255.255.255 
+  network-object 195.136.186.35 255.255.255.255 
+  network-object 196.15.136.15 255.255.255.255 
+  network-object 201.10.180.138 255.255.255.255 
+  network-object 201.17.93.16 255.255.255.255 
+  network-object 201.36.156.121 255.255.255.255 
+  network-object 202.96.112.93 255.255.255.255 
+  network-object 202.103.25.253 255.255.255.255 
+  network-object 203.162.3.209 255.255.255.255 
+  network-object 203.209.124.144 255.255.255.255 
+  network-object 210.106.193.237 255.255.255.255 
+  network-object 210.222.114.102 255.255.255.255 
+  network-object 211.144.143.143 255.255.255.255 
+  network-object 211.172.218.237 255.255.255.255 
+  network-object 211.250.16.132 255.255.255.255 
+  network-object 212.21.241.31 255.255.255.255 
+  network-object 212.100.212.100 255.255.255.255 
+  network-object 218.18.72.252 255.255.255.255 
+  network-object 218.39.114.122 255.255.255.255 
+  network-object 218.55.115.43 255.255.255.255 
+  network-object 218.104.138.146 255.255.255.255 
+  network-object 219.132.104.160 255.255.255.255 
+  network-object 220.71.17.86 255.255.255.255 
+  network-object 220.81.50.105 255.255.255.255 
+  network-object 220.91.99.46 255.255.255.255 
+  network-object 221.14.249.242 255.255.255.255 
+  network-object 221.166.177.135 255.255.255.255 
+  network-object 221.198.33.38 255.255.255.255 
+  network-object 221.202.160.233 255.255.255.255 
+  network-object 221.205.54.125 255.255.255.255 
+  network-object 221.217.44.248 255.255.255.255 
+  network-object 222.100.212.223 255.255.255.255 
+  network-object 222.121.118.144 255.255.255.255 
+  network-object 222.174.113.2 255.255.255.255 
+exit
+
+object-group network id4388CFF8674.src.net.0
  network-object 58.33.181.83 255.255.255.255 
  network-object 58.53.82.190 255.255.255.255 
  network-object 58.231.13.78 255.255.255.255 
@ -159,7 +214,7 @@ access-list outside_acl_in deny   tcp any object-group id4390C25825682.dst.net.0
 access-list inside_acl_in deny   tcp any object-group id4390C25825682.dst.net.0 eq 25 
 ! 
 ! Rule  5 (global)
-access-list outside_acl_in deny   ip object-group id4390C25825682.dst.net.0 any log 6 interval 300
+access-list outside_acl_in deny   ip object-group id4388CFF8674.src.net.0 any log 6 interval 300
 ! 
 ! Rule  6 (global)
 access-list outside_acl_in deny   ip object-group id4390C25825682.dst.net.0 any log 6 interval 300
--- a/test/pix/firewall4.fw.orig
+++ b/test/pix/firewall4.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:11 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:07 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall50.fw.orig
+++ b/test/pix/firewall50.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:11 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:08 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/firewall6.fw.orig
+++ b/test/pix/firewall6.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:12 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:08 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall8.fw.orig
+++ b/test/pix/firewall8.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:13 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:10 2011 PST by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
--- a/test/pix/firewall80.fw.orig
+++ b/test/pix/firewall80.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:13 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:10 2011 PST by vadim
 !
 ! Compiled for pix 8.2
 ! Outbound ACLs: supported
--- a/test/pix/firewall81.fw.orig
+++ b/test/pix/firewall81.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:14 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:11 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall82.fw.orig
+++ b/test/pix/firewall82.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:14 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:11 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall83.fw.orig
+++ b/test/pix/firewall83.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:15 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:12 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall9.fw.orig
+++ b/test/pix/firewall9.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:15 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:12 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
--- a/test/pix/firewall90.fw.orig
+++ b/test/pix/firewall90.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:16 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:13 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall91.fw.orig
+++ b/test/pix/firewall91.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:16 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:13 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall92.fw.orig
+++ b/test/pix/firewall92.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:17 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:14 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall93.fw.orig
+++ b/test/pix/firewall93.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:17 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:14 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/firewall94.fw.orig
+++ b/test/pix/firewall94.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:18 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:15 2011 PST by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
--- a/test/pix/fwsm1.fw.orig
+++ b/test/pix/fwsm1.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:18 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:15 2011 PST by vadim
 !
 ! Compiled for fwsm 2.3
 ! Outbound ACLs: supported
--- a/test/pix/fwsm2.fw.orig
+++ b/test/pix/fwsm2.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:19 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:16 2011 PST by vadim
 !
 ! Compiled for fwsm 4.x
 ! Outbound ACLs: supported
--- a/test/pix/pix515.fw.orig
+++ b/test/pix/pix515.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:20 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:17 2011 PST by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
--- a/test/pix/real.fw.orig
+++ b/test/pix/real.fw.orig
@ -3,7 +3,7 @@
 !
 !  Firewall Builder  fwb_pix v4.2.0.3483
 !
-!  Generated Sun Feb 20 17:26:20 2011 PST by vadim
+!  Generated Sun Feb 20 18:01:17 2011 PST by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported