CustomService objects in policy and nat rules for asa 8.3 using
named objects and object-groups.
-- see #1942 "ASA NAT - if custom service is included in service
group incorrect config generated"
-- see #1929 "move map named_objects inside class NamedObjectManager"
-- see #1946 "restrict generation of the named objects by
PolicyCompiler_pix to ASA 8"
-- see #1885 "named network and service objects in pix8"
problem reported in the earlier bug (see #1690).
Function Helper::findInterfaceByNetzone() throws FWException, this
changed in v4.1.0 with a fix for #1653.
fixed#1690 "IOS ACL and Procurve ACL compilers fail because
interfaces are not assumed to have network zone "any" anymore".
Compilers for Cisco IOS ACL and Procurve ACL always assumed all
interfaces have network zone "any". Recent changes made in 4.1.0
changed that and compilers stopped working for some rule configurations.
* (PolicyCompiler_cisco::createACLObject): fixed#1688 "Procurve
ACL remarks should be in quotes if they include space"
draft of the object-groups support for Cisco IOS. Controlled by a
checkbox in the "Advanced" settings dialog of the firewall object;
this feature requires IOS v12.4(20)T or later and is off by
default.
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
compiler for IOS ACL added only inbound automatic rule to permit
ssh access from the management workstation but did not add a rule
to permit reply packets. This fixes#993
Implemented TCP flag matching per #2865044: "Add TCP options
support for IOS ACL". Uses extended ACL option "match-all" that
supports list of TCP flags that should be set and cleared. This
requires IOS v12.4 or later even though Cisco documentation seems
to indicate this option was introduced in 12.3(4)T. Fixes#455
