rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.
* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.
* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
CustomService objects in policy and nat rules for asa 8.3 using
named objects and object-groups.
-- see #1942 "ASA NAT - if custom service is included in service
group incorrect config generated"
-- see #1929 "move map named_objects inside class NamedObjectManager"
-- see #1946 "restrict generation of the named objects by
PolicyCompiler_pix to ASA 8"
-- see #1885 "named network and service objects in pix8"
fixed#1379 "Should be able to build routing rules with interface
as gateway for IOS". Routing rules for IOS now have column
"Interface". Rules can be built either with explicit address of
the gateway or interface.
draft of the object-groups support for Cisco IOS. Controlled by a
checkbox in the "Advanced" settings dialog of the firewall object;
this feature requires IOS v12.4(20)T or later and is off by
default.
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869
making sure non-english comments appear correctly in the single
rule compile output and generated configuration files and scripts.
compiler for IOS ACL added only inbound automatic rule to permit
ssh access from the management workstation but did not add a rule
to permit reply packets. This fixes#993
Implemented TCP flag matching per #2865044: "Add TCP options
support for IOS ACL". Uses extended ACL option "match-all" that
supports list of TCP flags that should be set and cleared. This
requires IOS v12.4 or later even though Cisco documentation seems
to indicate this option was introduced in 12.3(4)T. Fixes#455
does not support IP options matching, compiler issues warning.
Fixes#567
* res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
12.3
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
Added support for IP options matching, requires IOS v12.3 or
later. Fixes#566, #568
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule):
implemented feature request #1778536: "IOSACL - remark command".
This adds support for the "remark" command in generated IOS
ACL configuration. Controlled by the checkbox "Add ACL remarks"
in the "Script" tab of the firewall object settings dialog.
* iosacl.cpp (safetyNetInstall): fixed bug #2694146: "IPv6
temporary ACL blocks ICMPv6". Temporary ipv6 access list created
for the "safety net install" should permit icmp.
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
bug (no #): temporary access list created for IOS when option
"safety net install" is used and ipv6 address is provided should
use keyword "host" if provided address does not specify netmask.
* fwbedit: properly saving data file after "checktree" operation
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
few bugs (no #) in policy compiler for Cisco IPv6 ACLs:
- The "extended" keyword is not supported by IOS for IPv6 ACLs
- keyword "established" is only valid in combination with
protocol tcp. If standard CustomService objects "ESTABLISHED" and
"ESTABLISHED ipv6" are used in a rule, enforce protocol to "tcp".
- command to clear ipv6 access lists should be "no ipv6
access-list ipv6_management_in"
- command to assign ipv6 acl to interface should be "ipv6
traffic-filter ipv6_acl in"
ipv6" which defines code for iptables, ipfw and IOS extended
access lists for IPv6.
* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol):
fixed behavior or policy compiler for ipfw which was broken in
rev714 - it should print protocol "tcp" when custom service object
that adds option "established" is used. This compiler worked like
that before attribute "protocol" was added to the CustomService
object.
