fixes#1119 "add test for the integrity of failover cluster
groups". Compilers require all failover group objects to be
configured with interfaces of member firewalls.
fixes#1120 "redundant commands generated for ssh
access". Compiler for PIX generated two "ssh address netmask
inside" commands for the same rule that permits ssh to the firewall.
"fwb_pix uses wrong interface compiling the second cluster
member". NAT compiler for PIX failed to find interface with
correct network zone if interface was a child of another
interface, e.g. vlan subinterface.
#1115: "fwb_pix crash compiling cluster NAT rule set with
interface in TSrc". A cluster interface was used in the TSrc rule
element of a NAT rule. Cluster interfaces of PIX cluster have no
ip addresses of their own (PIX HA pair uses ip addresses of the
master unit), this caused rule element to become empty after
interface object was supposed to be replaced with its ip address.
fixes#1115
fixes#1108: fwb_pix: incorrect access list is generated for
"static". When a firewall or host object with an interface that
was configured with netmask that was not
255.255.255.255 (i.e. configured correctly) was used in TDst of a
NAT rule for PIX firewall, compiler generated configuration that
used subnet instead of just the address of the inetrface.
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869
making sure non-english comments appear correctly in the single
rule compile output and generated configuration files and scripts.
really fixed#869 "compile rule" should also print the comment.
Printing rule comment in the compiler output in the single rule
compile mode when firewall object is configured to use
iptables-restore. Code that prints rule label and comment has been
unified for compilers for all firewall platforms.
compiler for IOS ACL added only inbound automatic rule to permit
ssh access from the management workstation but did not add a rule
to permit reply packets. This fixes#993
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::run): Added
support for failover configurations for PIX.
- Interfaces of member firewalls used for failover configuration
should be marked as "Dedicated failover" interfaces. They should
have normal IP addresses. These interfaces will be used to
generate "failover" commands in the PIX configuration.
- Cluster should have interface with the same name as failover
interfaces of the members, with protocol set to "PIX failover" and
members configured as usual. This interface has no ip address.
- Other interfaces of the cluster have the same name as
corresponding interfaces of the member firewalls, protocol "None"
and failover groups that define members as usual. These cluster
interfaces also have no ip address.
- Cluster state synchronization group uses protocol "PIX state
synchrnization" and its members should be configured as usual.
Use failover interfaces of the members as members of the state
sync group.
* Interface.cpp: Added attribute "dedicated_failover" to the
Interface object. Interfaces with this attribute are treated like
other "unprotected" interfaces, that is they are not used to
attach ACLs to and not used in rules. Dedicated failover
interfaces have special meaning in PIX configurations and are used
to describe interfaces used for LAN failover.
does not support IP options matching, compiler issues warning.
Fixes#567
* res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
12.3
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
Added support for IP options matching, requires IOS v12.3 or
later. Fixes#566, #568
remark command". Remarks now include rule comments; if comment
consists of several lines, each line is added using separate
remark statement. This works for both IOS ACL and PIX platforms.
* RoutingCompiler_cisco.cpp (RoutingCompiler_cisco::compile):
fixed bug (no #): routing compiler for pix refused to add more
than one routing rule with an error saying that other rules were
duplicates. Error was introduced in build 732.
* All policy compilers: using FWObjectDatabase::createClass
methods to create rules and other objects in compilers wherever
the type is known at the (code) compile time. This makes code
cleaner and speeds it up a little because of eliminated cast() and
string comparison.
* changes in libfbuilder: eliminated excessive use of dynamic_cast
and long chains of "if" comparing object type names in
FWObjectDatabase in methods that create new objects of given type.
