Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Added new command 'check-acl' Usage: check-acl [-f file] code/router acl ['ip1 ip2 tcp|udp port']... This command checks if given packets would be permitted or denied by specified ACL. ACL is read from code file that was generated by Netspoc for given router. Packet descriptions are given on command line or read from file. Each packet description is written to STDOUT, prefixed with "permit" or "deny". - Added check for rules with identical service body. Two services have identical body, if rule definitions are equal and lists of users could be combined into a single list. This check is enabled with option '--check_identical_services=0|warn|err'. Default is off. Printing of warn messages is controlled with attribute 'identical_body'. A) Warning for two identical services s1, s2 can be suppressed by adding attribute 'identical_body = service:s2' to service:s1 or 'identical_body = service:s1' to service:s2. B) Attribute 'identical_body = enable|restrict|ok;' at area, zone or network controls printing of warn messages. The attribute is inherited to all objects contained in given area, zone or network. - If at least one object used in rule definitions of identical services has attribute 'identical_body = restrict', identical body is forbidden and warning can't be disabled. - If all objects have attribute 'identical_body =ok', identical body is allowed and no warning is shown. - Otherwise a warning is shown that can be suppressed. - Changed output of command 'export-netspoc' IP of any:... is now written as 0.0.0.0/0.0.0.0 and not as 0.0.0.0
- Loading branch information