"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "go/testdata/aggregate.t" between
Netspoc-6.025.tar.gz and Netspoc-6.026.tar.gz

About: NetSPoC is a network security policy compiler (using its own description language) to manage all the packet filter devices inside your network topology.

aggregate.t  (Netspoc-6.025):aggregate.t  (Netspoc-6.026)
skipping to change at line 1190 skipping to change at line 1190
} }
network:n2 = { ip = 10.1.2.0/24; } network:n2 = { ip = 10.1.2.0/24; }
router:u = { router:u = {
interface:n2; interface:n2;
interface:sub-29; interface:sub-29;
} }
any:sub-28 = { ip = 10.1.2.48/28; link = network:n2; } any:sub-28 = { ip = 10.1.2.48/28; link = network:n2; }
network:sub-29 = { ip = 10.1.2.48/29; subnet_of = network:sub-27; } network:sub-29 = { ip = 10.1.2.48/29; subnet_of = network:sub-27; }
# Warning is shown, because some addresses of any:sub-28 are located # Warning is shown, because some addresses of any:sub-28 are located
# inside network:sub-27. # inside network:sub-27.
# Hence also check larger networks since supernet is aggregate.
service:s1 = { service:s1 = {
user = network:n1; user = network:n1;
permit src = user; dst = any:sub-28; prt = tcp 80; permit src = user; dst = any:sub-28; prt = tcp 80;
} }
# No warning, because we know, that addresses of network:sub-29 # Show warning, same reasoning as for any:sub-28,
# are located behind router:r2 and not inside network:sub-27. # but only check smaller subnets.
service:s2 = { service:s2 = {
user = network:n1; user = network:n1;
permit src = user; dst = network:n2; prt = tcp 82;
}
# No warning, because we know that addresses of network:sub-29
# are located behind router:r2 and not inside network:sub-27.
service:s3 = {
user = network:n1;
permit src = user; dst = network:sub-29; prt = tcp 81; permit src = user; dst = network:sub-29; prt = tcp 81;
} }
=END= =END=
=WARNING= =WARNING=
Warning: This supernet rule would permit unexpected access: Warning: This supernet rule would permit unexpected access:
permit src=network:n1; dst=any:sub-28; prt=tcp 80; of service:s1 permit src=network:n1; dst=any:sub-28; prt=tcp 80; of service:s1
Generated ACL at interface:r1.n1 would permit access to additional networks: Generated ACL at interface:r1.n1 would permit access to additional networks:
- network:sub-27 - network:sub-27
Either replace any:sub-28 by smaller networks that are not supernet Either replace any:sub-28 by smaller networks that are not supernet
or add above-mentioned networks to dst of rule. or add above-mentioned networks to dst of rule.
Warning: This supernet rule would permit unexpected access:
permit src=network:n1; dst=network:n2; prt=tcp 82; of service:s2
Generated ACL at interface:r1.n1 would permit access to additional networks:
- network:sub-27
Either replace network:n2 by smaller networks that are not supernet
or add above-mentioned networks to dst of rule.
=END= =END=
############################################################ ############################################################
=TITLE=Don't check aggregate that is subnet of network in same zone =TITLE=Don't check aggregate that is subnet of network in same zone
=INPUT= =INPUT=
network:n1 = { ip = 10.1.1.0/24; } network:n1 = { ip = 10.1.1.0/24; }
router:r1 = { router:r1 = {
managed; managed;
model = IOS, FW; model = IOS, FW;
interface:n1 = { ip = 10.1.1.1; hardware = n1; } interface:n1 = { ip = 10.1.1.1; hardware = n1; }
skipping to change at line 1247 skipping to change at line 1260
# No warning, because we know, that addresses of any:sub-29 # No warning, because we know, that addresses of any:sub-29
# are located inside network:sub-28 and not inside network:sub-27. # are located inside network:sub-28 and not inside network:sub-27.
service:s1 = { service:s1 = {
user = network:n1; user = network:n1;
permit src = user; dst = any:sub-29; prt = tcp 80; permit src = user; dst = any:sub-29; prt = tcp 80;
} }
=END= =END=
=WARNING=NONE =WARNING=NONE
############################################################ ############################################################
=TITLE=Don't check supernet of supernet.
=INPUT=
network:n1 = { ip = 10.1.0.0/16; }
network:n2 = { ip = 10.1.0.0/23; subnet_of = network:n1; }
network:n3 = { ip = 10.2.1.0/24; }
network:inet = { ip = 0.0.0.0/0; has_subnets; }
network:n4 = { ip = 1.1.1.8/29; }
router:r1 = {
managed;
model = ASA;
interface:n1 = { ip = 10.1.8.1; hardware = n1; }
interface:n2 = { ip = 10.1.0.1; hardware = n2; }
interface:n3 = { ip = 10.2.1.1; hardware = n3; }
}
router:r2 = {
interface:n3 = { ip = 10.2.1.2; }
interface:inet;
}
router:r3 = {
model = IOS, FW;
managed;
routing = manual;
interface:inet = { negotiated; hardware = inet; }
interface:n4 = { ip = 1.1.1.9; hardware = n4; }
}
service:s1 = {
user = network:n1;
permit src = user; dst = network:n4; prt = tcp 81;
}
=END=
=WARNING=NONE
############################################################
=TITLE=Ignore intermediate aggregate from empty automatic group =TITLE=Ignore intermediate aggregate from empty automatic group
=INPUT= =INPUT=
network:n1 = { ip = 10.1.1.0/24; } network:n1 = { ip = 10.1.1.0/24; }
network:n2 = { ip = 10.1.2.0/24; } network:n2 = { ip = 10.1.2.0/24; }
network:n3 = { ip = 10.3.3.0/24; } network:n3 = { ip = 10.3.3.0/24; }
area:n2 = { border = interface:r1.n2; } area:n2 = { border = interface:r1.n2; }
area:n3 = { border = interface:r1.n3; } area:n3 = { border = interface:r1.n3; }
router:r1 = { router:r1 = {
model = IOS; model = IOS;
managed; managed;
 End of changes. 5 change blocks. 
2 lines changed or deleted 52 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)