v6.025

- Added new command 'check-acl' Usage: check-acl [-f file] code/router acl ['ip1 ip2 tcp|udp port']... This command checks if given packets would be permitted or denied by specified ACL. ACL is read from code file that was generated by Netspoc for given router. Packet descriptions are given on command line or read from file. Each packet description is written to STDOUT, prefixed with "permit" or "deny". - Added check for rules with identical service body. Two services have identical body, if rule definitions are equal and lists of users could be combined into a single list. This check is enabled with option '--check_identical_services=0|warn|err'. Default is off. Printing of warn messages is controlled with attribute 'identical_body'. A) Warning for two identical services s1, s2 can be suppressed by adding attribute 'identical_body = service:s2' to service:s1 or 'identical_body = service:s1' to service:s2. B) Attribute 'identical_body = enable|restrict|ok;' at area, zone or network controls printing of warn messages. The attribute is inherited to all objects contained in given area, zone or network. - If at least one object used in rule definitions of identical services has attribute 'identical_body = restrict', identical body is forbidden and warning can't be disabled. - If all objects have attribute 'identical_body =ok', identical body is allowed and no warning is shown. - Otherwise a warning is shown that can be suppressed. - Changed output of command 'export-netspoc' IP of any:... is now written as 0.0.0.0/0.0.0.0 and not as 0.0.0.0
hknutzen · Feb 18, 2021 · 99c8e76 · 99c8e76
1 parent 43bcd08
commit 99c8e76
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/Changes b/Changes
@@ -1,5 +1,40 @@
 {{$NEXT}}
 
+6.025     2021-02-18 10:44:32+01:00 Europe/Berlin
+
+ - Added new command 'check-acl'
+   Usage: check-acl [-f file] code/router acl ['ip1 ip2 tcp|udp port']...
+   This command checks if given packets would be permitted or denied
+   by specified ACL.
+   ACL is read from code file that was generated by Netspoc for given router.
+   Packet descriptions are given on command line or read from file.
+   Each packet description is written to STDOUT,
+   prefixed with "permit" or "deny".
+ - Added check for rules with identical service body.
+   Two services have identical body, if rule definitions are equal
+   and lists of users could be combined into a single list.
+   This check is enabled with option
+        '--check_identical_services=0|warn|err'.
+   Default is off.
+   Printing of warn messages is controlled with attribute 'identical_body'.
+   A)
+   Warning for two identical services s1, s2 can be suppressed by
+   adding attribute 'identical_body = service:s2' to service:s1
+   or 'identical_body = service:s1' to service:s2.
+   B)
+   Attribute 'identical_body = enable|restrict|ok;'
+   at area, zone or network controls printing of warn messages.
+   The attribute is inherited to all objects contained in
+   given area, zone or network.
+   - If at least one object used in rule definitions of identical services
+     has attribute 'identical_body = restrict',
+     identical body is forbidden and warning can't be disabled.
+   - If all objects have attribute 'identical_body =ok',
+     identical body is allowed and no warning is shown.
+   - Otherwise a warning is shown that can be suppressed.
+ - Changed output of command 'export-netspoc'
+   IP of any:... is now written as 0.0.0.0/0.0.0.0 and not as 0.0.0.0
+
 6.024     2021-02-02 15:10:10+01:00 Europe/Berlin
 
  - Support new radius attribute "group-lock".