CustomService objects in policy and nat rules for asa 8.3 using
named objects and object-groups.
-- see #1942 "ASA NAT - if custom service is included in service
group incorrect config generated"
-- see #1929 "move map named_objects inside class NamedObjectManager"
-- see #1946 "restrict generation of the named objects by
PolicyCompiler_pix to ASA 8"
-- see #1885 "named network and service objects in pix8"
service objects in pix8". So far, these objects are only used
for nat configuration.
* NATCompiler_asa8_writers.cpp (processNext): fixes#1903 "correct
order of clear commands for ASA 8.3"
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1886 "new nat
configuration in pix 8.3". Initial support for new style nat
configuation.
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
config will compile without interface in Routing rule". Policy
compiler for PIX now checks that both "interface" and "gateway"
rule elements are not empty.
fixes#1108: fwb_pix: incorrect access list is generated for
"static". When a firewall or host object with an interface that
was configured with netmask that was not
255.255.255.255 (i.e. configured correctly) was used in TDst of a
NAT rule for PIX firewall, compiler generated configuration that
used subnet instead of just the address of the inetrface.
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869
making sure non-english comments appear correctly in the single
rule compile output and generated configuration files and scripts.
really fixed#869 "compile rule" should also print the comment.
Printing rule comment in the compiler output in the single rule
compile mode when firewall object is configured to use
iptables-restore. Code that prints rule label and comment has been
unified for compilers for all firewall platforms.
compiler for IOS ACL added only inbound automatic rule to permit
ssh access from the management workstation but did not add a rule
to permit reply packets. This fixes#993
does not support IP options matching, compiler issues warning.
Fixes#567
* res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
12.3
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
Added support for IP options matching, requires IOS v12.3 or
later. Fixes#566, #568
