2010-12-15  heinz  <heinz@Buero>

	* Netspoc.pm:
	Fixed bug in check_for_transient_any_rule when comparing stateless
	rules.

2010-12-03  heinz  <heinz@Buero>

	* Netspoc.pm: Removed white space around "description" lines.

2010-12-02  heinz  <heinz@Buero>

	* Netspoc.pm:
	Added check for unused owner and admins and for redundant owners.
	{router_attributes}->{owner} is now handled in propagate_owners.

	* Netspoc.pm: Removed compatibility with "nat = .." syntax.

2010-12-01  heinz  <heinz@Buero>

	* Netspoc.pm:
	Fixed sub unique: must use 'values' not 'keys', otherwise references
	are destroyed.

2010-11-29  heinz  <heinz@Buero>

	* Netspoc.pm:
	Renamed attribute "nat = .." at interface to "bind_nat = ..".
	This allows better distinction between binding and definition of NAT.
	(Old syntax "nat = .." is still accepted currently.)

	Allow multiple NAT tags at attribute bind_nat of an interface.
	This simplifies definition of NAT for devices with multiple interfaces.
	Multiple NAT tags at an interface must not be used to define
	inconsistent translations for the same network.

	Example: Device with 3 attached networks a, b, c,
	each being translated to an external address when passing the device.
	Previously, the external address has to be defined multiple times for
	each destination.

	network:a = {
	 ip = ip_orig;
	 nat:for_b = { ip = a_ext; }
	 nat:for_c = { ip = a_ext; }
	}
	router:r = {
	 interface:a = { nat = for_a; }
	 interface:b = { nat = for_b; }
	 interface:c = { nat = for_c; }

	The new version allows to reuse a single translation for multiple
	destinations.

	network:a = {
	 ip = ip_orig;
	 nat:from_a = { ip = a_ext; }
	}
	router:r = {
	 interface:a = { bind_nat = from_b, from_c; }
	 interface:b = { bind_nat = from_a, from_c; }
	 interface:c = { bind_nat = from_a, From_b; }

	Defined a new internal function aref_eq.
	Fixed a validation in find_subnets. Dynamic NAT to loopback interface
	is now checked fully.

2010-11-26  heinz  <heinz@Buero>

	* netspoc: Added help text for "check_transient_any_rules".

	* Netspoc.pm:
	There was a bug when printing the result of check for missing transient
	any rules. The result was only printed if some rule was missing more
	than once.
	This has been fixed.
	The error message for missing transient any rules has been clarified.
	Checking of transient any rules has been made configurable and
	currently is disabled by default.

	* Netspoc.pm: Added attribute 'extend' to owner.
	Per default, an owner is inherited from the enclosing any/area only
	if the current object doesn't define an owner itself.
	If the owner at the enclosing object has attribute 'extend', the admins
	of this owner extend the owner of the current object.
	Added check for duplicate attributes while reading admin.

2010-11-24  heinz  <heinz@Buero>

	* Netspoc.pm: Refuse attribute 'owner' at unmanaged router.

2010-11-19  heinz  <heinz@Buero>

	* Netspoc.pm:
	Check that one email address does not belong to different admins.

	* cut-netspoc: Added owners and admins.

	* netspoc:
	Moved call to show_version after argument and config handling to make
	"-quiet" effective.

	* Netspoc.pm:
	There was a bug in loop_path_walk. If a loop entry or exit was an
	'any' object and the in / out interface had a pathrestriction applied,
	and $call_at_router was true,
	then the function argument was accidently applied to the any object.
	This has been fixed.

2010-11-12  heinz  <heinz@Buero>

	* Netspoc.pm:
	Moved definition of mask2prefix and prefix2mask behind definition of
	print_ip.

2010-11-11  heinz  <heinz@Buero>

	* netspoc:
	Command line handling has been moved into this file from Netspoc.pm.
	Improved usage and help messages.
	Use Pod::Usage to show usage and help messages.

	* Netspoc.pm:
	Added new config options to control warning messages for owners:
	- check_policy_unknown_owner = 0|1|warn
	- check_policy_multi_owner = 0|1|warn
	Changed handling of config options:
	- Options can be defined in a file names 'config' in toplevel directory
	  of netspoc input.
	- Command line handling has been moved to main program 'netspoc'.
	- Command line options override options from config file.
	- Options are stored in a global hash %config. This replaces single
	  global variables, which had been used before.
	New subroutines to handle config options:
	- get_config_keys
	- get_config_pattern
	- check_config_pair
	- read_config
	- set_config
	Directories 'raw' and '*.private' get only special handling in toplevel
	directory. This fixes a possible security issue with '*.private'.
	Removed 'raw' from ignore_files.
	Variable $start_time is initialized during module loading now,
	not at first call to info().
	Changed skip_space_and_comment to handle comment at end of file with
	missing linefeed.
	No longer use typeglobs as filehandle and dirhandle but use local
	variables instead.

2010-11-10  heinz  <heinz@Buero>

	* Netspoc.pm: New exported subroutine set_policy_owner which
	- propagates owners in topology:
	  area -> any -> network -> host | interface
	- deduces the owner of each policy from owners of topology objects,
	- gives warning for policy with multiple or unknown owners.
	New syntax attributes for policy
	- 'multi_owner' suppresses warnings about multiple owners,
	- 'unknown_owner' suppresses warnings about unknown owners.
	New internal attribute 'has_user' with values 'both', 'src', 'dst'
	at rules of policies.

2010-11-05  heinz  <heinz@Buero>

	* Netspoc.pm: Implemented new attribute 'visible' for policy.
	The value is used by netspoc-web to decide if a policy is visible
	by some owner who curently isn't a user of the policy.
	Valid values are "*" or "<prefix>*".
	This matches all owner names or owner names which are prefix.

2010-11-01  heinz  <heinz@Buero>

	* Netspoc.pm:
	No longer delete cleartext connection to router with ID hosts.
	Ignore interface with global active pathrestriction
	- when checking short interface for missing IP for routing,
	- when finding any-clusters connected by semin managed routers.
	Ignore short and negotiated interface when trying to guess route for
	encrypted traffic.

2010-10-25  heinz  <heinz@Buero>

	* Netspoc.pm: Attribute 'owner' for router.
	Attribute 'router_attributes' for area. Currently only with 'owner' as
	sub-attribute.
	Managed router inherits 'router_attributes' from area.
	router_attributes from smaller area override equal attribute from
	enclosing area.

2010-10-07  heinz  <heinz@Buero>

	* Netspoc.pm: Don't use subroutines skip, check, read_identifier
	while reading Token of extended name. Otherwise we would
	accidently allow whitespace inside a token.

2010-10-05  heinz  <heinz@Buero>

	* Netspoc.pm:
	Fixed generated 'pre-shared-key' command: use '*****' instead of '*'.

2010-09-30  heinz  <heinz@Buero>

	* missing-approve: Don't abort on error.
	Handle bz2 and tbz, tbz optionally including *.gz files.

2010-09-22  heinz  <heinz@Buero>

	* Netspoc.pm: A pathrestriction at border of loop wasn't handled
	correctly, if path didn't start / end at this interface, but only
	passed through this interface.  This has been fixed.

2010-09-15  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed order for ACL lines with service esp or ah.

2010-09-01  heinz  <heinz@Buero>

	* print-group: Don't combine adjacent hosts.

	* Netspoc.pm: If 3rd parameter of expand_group has value
	'no_combine', hosts are converted to subnets, but adjacent subnets
	are not combined. This is currently used from program print-group.

2010-08-31  heinz  <heinz@Buero>

	* print-group:
	Uses parser of Netspoc to analyze group names from command line.
	Supports automatic groups as well as union, complement, intersection.
	Added documentation for Pod::Usage.
	Added perl parameters "-CSDAL" to allow unicode names in command line.
	Removed "use locale" and "use lib".

	* netspoc: Removed fiddling with use lib. Netspoc.pm now has to be
	installed into a standard location.

	* Netspoc.pm:
	- use open qw(:std :utf8) instead of ':locale'.
	- No longer use locale, this may change the order of rules in ACLs.
	- Write use Exporter instead of require Exporter.
	- use Encode and convert result of readdir by Encode::decode to 'UTF-8'.
	- Removed the hashbang line from this perl module.

2010-08-30  heinz  <heinz@Buero>

	* print-group: Abort faster on error.

	* Netspoc.pm: Added migration flag "o" to model of router
	definition.  This adds a line "[ OldApprove ]" to the generated
	code of marked device.

	* Netspoc.pm:
	Add support for attribute 'isolated_ports' at networks and attribute
	'promiscuous_port' at interfaces.
	If a network has attribute 'isolated_ports', hosts inside this network
	are not	allowed to talk directly to each other. Instead the traffic
	must go through	an interface which is marked as 'promiscuous_port'.
	Non promiscuous interfaces are isolated as well.
	They are handled like hosts.
	Swapped parameters of sub aref_delete.
	Substituted local anonymous function  $all_eq by global sub equal.

2010-08-26  heinz  <heinz@Buero>

	* Netspoc.pm: Hosts no longer support multiple IP addresses, but
	only single IP addresses or ranges.

	* Netspoc.pm: Tidy up link_topology.

2010-07-21  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed bugfix in previous version.

	* Netspoc.pm: The implementation of "no_in_acl" had a bug.
	Outgoing ACLs included only ACL lines from the "no_in_acl"
	interface.  But ACL lines for traffic from other interfaces was
	missing in the outgoing ACL. This has been fixed.

2010-07-14  heinz  <heinz@Buero>

	* Netspoc.pm: No longer generate 'peer-id-validate req' for
	'tunnel-group ipsec-attributes', because it is the default value.

2010-07-09  heinz  <heinz@Buero>

	* Netspoc.pm:
	Removed duplicate "no sysopt connection permit-vpn" in print_crypto

2010-06-17  heinz  <heinz@Buero>

	* Netspoc.pm: Changed /usr/sbin/iptables-restore to
	/sbin/iptables-restore in Linux output, because this is the
	standard path for debian lenny.

2010-06-16  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed check for any rules with no_in_acl.
	Changed test from
	(A) rule "permit any:X dst"
	 a)  any:X == any:Y: filtering occurs at outgoing ACL, good
	 b)  any:X != any:Y: outgoing ACL would accidently permit any:Y->dst.
	              bad, additional rule required: "permit any:Y->dst"
	to
	(A) rule "permit any:X dst"
	 a)  dst behind Y: filtering occurs at incoming ACL of X, good.
	 b)  dst not behind Y:
	   1. any:X == any:Y: filtering occurs at outgoing ACL, good.
	   2. any:X != any:Y: outgoing ACL would accidently permit any:Y->dst, bad.
	               additional rule required: "permit any:Y->dst"

	* Netspoc.pm: Added new attribute 'no_in_acl' for interfaces.
	With this attribute, no incoming ACL is generated for an interface.
	Outgoing ACLs are added to all other interfaces of the same device
	instead.
	This is useful for situations like this:
	1. A packet filter connects multiple customers with some central site.
	   Each customer needs to inspect the ACls of 'his' interface,
	   but must not see ACLs of the other customers.
	   Declaring the interface to the central site with 'no_in_acl' adds
	   outgoing ACL to each customer interface.
	2. A packet filter has three interfaces A, B, C.
	   There is a rule "permit network:A -> any:[network:B]"
	   With only incoming ACLs this would allow traffic
	   "network:A -> any:[network:C]" as well.
	   With attribute 'no_in_acl' at interface A we get outgoing ACLs
	   at interface B and C wich permit traffic to any:[network:B]
	   but not to any:[network:C].
	For IOS there remains a minimal incoming ACL that filters traffic
	for the	device itself.
	These restrictions apply:
	- At most one interface with 'no_in_acl' is allowed per device.
	- Multiple interfaces at the same hardware are not allowed if
	  'no_in_acl' is declared at some logical interface of this hardware.
	- 'no_in_acl' must not be used together with crypto tunnels at
	  the same device.
	- All interfaces must equally use or not use outgoing ACLs at
	  a crosslink network.
	- All interfaces with attribute 'no_in_acl' at routers connected by a
	  crosslink network must be border of the same security domain.
	Outgoing ACLs are supported for model IOS, Linux and ASA.
	For convenience, the attribute 'no_in_acl' can be added to an 'any'
	object.	It is then inherited by all border interfaces of this 'any'
	object. Inheritance is stopped for devices which already have an
	attribute 'no_in_acl' declared at some interface or have an
	attribute 'std_in_acl' declared at the device level.
	Consistency check for any rules has been changed at devices which use
	attribute 'no_in_acl' at some interface.
	Let's assume, we have a single interface Y (with attached any:Y)
	without ACL and all other interfaces having incoming and outgoing ACLs.
	(A) rule "permit any:X dst"
	  - any:X == any:Y: filtering occurs at outgoing ACL, good.
	  - any:X != any:Y: outgoing ACL would accidently
	                                 permit any:Y -> dst, bad.
	                    We require to additionally define
	                                 "permit any:Y -> dst".
	(B) rule "permit src any:X"
	  - src behind Y: filtering occurs at ougoing ACLs, good.
	  - src not behind Y:
	    - any:X == any:Y: filtering occurs at incoming ACL at src and at
	                      outgoing ACls of other non-any:X interfaces, good.
	    - any:X != any:Y: incoming ACL at src would accidently
	                                  permit src -> any:Y,
	                      bad, additional rule required:
	                                  "permit src -> any:Y".

2010-06-04  heinz  <heinz@Buero>

	* Netspoc.pm: Invalid owner names are no longer silently ignored.

2010-06-02  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed crypto without pfs.

	* Netspoc.pm: Fixed bug in code of check_and_convert_routes which
	adjusts routes through VPN tunnel to cleartext interface.

2010-05-25  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed another bug in link_owner.
	Renamed it to link_owners.

	* Netspoc.pm: Fixed bug in link_owner

2010-05-21  heinz  <heinz@Buero>

	* Netspoc.pm:
	Fixed missing references to admin objectes inside owner objects.

2010-05-19  heinz  <heinz@Buero>

	* Netspoc.pm: Add owner objects and admin objects to syntax.
	Owner objects are referenced by the owner attribute of network objects.
	Admin objects are referenced by the admins attribute of owner objects.
	New sub link_owner substitutes name of owner object by the object
	itself.	Currently invalid owner names are silently ignored.

2010-05-17  heinz  <heinz@Buero>

	* Netspoc.pm: Allow attribute bind_nat for loopback interface.
	This can be necessary, because even a loopback interface establishes a
	separate NAT domain.
	We would need a NAT binding to hide one of two duplicate networks.

2010-05-07  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed removal of useless elements from automatic
	groups.  Now, these elements (like route_hint networks) are
	removed later, when the result is returned to rule processing and
	not on intermediate results.

2010-05-05  heinz  <heinz@Buero>

	* Netspoc.pm: Fix isakmp encryption for ASA from aesxxx to aes-xxx.

2010-04-29  heinz  <heinz@Buero>

	* Netspoc.pm: Warn for useless deletes of elements with "& !".
	Silently remove interfaces to route_hint or crosslink networks
	from automatic groups.
	Silently remove route_hint or crosslink networks from
	automatic network of interface.

2010-03-31  heinz  <heinz@Buero>

	* Netspoc.pm: Removed superfluous '' in warn and error messages.

	* Netspoc.pm: Bug fixes:
	- delete pathrestriction from interface if it isn't located inside
	  or at the border of cyclic graph.
	- in "sub path_mark", fixed test for interface with pathrestriction at
	  border of cyclic graph

2010-03-29  heinz  <heinz@Buero>

	* Netspoc.pm:
	Fixed bug when "overlaps" declaration references unknown policy.

2010-03-18  heinz  <heinz@Buero>

	* Netspoc.pm: Removed unused definition of sub print_chain_rule.
	Added code to calculate maximal number of matches in iptables
	(is commented out).

2010-03-16  heinz  <heinz@Buero>

	* Netspoc.pm: Changed default value for command line option
	-check_redundant_rules to 'warn'.

2010-03-10  heinz  <heinz@Buero>

	* Netspoc.pm: "crypto map crypto-outside map-name seq-num ipsec-isakmp"
	is no longer generated for ASA.

	* Netspoc.pm: New command line option -check_redundant_rules.
	Changed default value for -check_duplicate_rules to 'warn'.

	* Netspoc.pm: Permit multiple values for attribute 'overlaps'.

	* Netspoc.pm: Removed check for fully redundant rules.

2010-03-02  heinz  <heinz@Buero>

	* Netspoc.pm:
	Only warning if unknown policy is referenced in "overlaps = ..".

2010-03-01  heinz  <heinz@Buero>

	* Netspoc.pm: Added migration flag "n" to model of router
	definition.  This adds a line "[ NewApprove ]" to the generated
	code of marked device.

	* Netspoc.pm:
	New declaration "overlaps = policy:other_name;" in policy.
	It suppresses warning about duplicate or redundant rules
	between current policy and other policy.
	For redundant rules the other policy must be the policy with larger
	rules.

2010-02-24  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed bugs in syntax for ASA with LAN-to-LAN IPSec.

	* Netspoc.pm: Fixed bug in version 2.393:
	For VPN software clients, rules must be distributed to both,
	id_intf and cleartext interface.
	Rules at id_intf are needed to generate split tunnel ACLs.
	Added command "no sysopt connection permit-vpn" for crypto of ASA
	(without VPN).

2010-02-23  heinz  <heinz@Buero>

	* netspoc:
	Call "optimize_and_warn_deleted" instead of "optimize" for the first
	optimization pass.

	* Netspoc.pm:
	Attribute 'no_crypto_filter' is now applicable to model 'ASA, VPN'.
	If activated it generates:
	- command "no sysopt connection permit-vpn"
	- simpler vpn-filter ACL which only checks the source address
	- Traffic is filtered at standard interface ACL.
	Fixed a bug with vpn-filter for VPN networks:
	The filter is no longer applied to both username and group-policy,
	but only to username.

	* Netspoc.pm: Added checks for duplicate and redundant rules:
	- new command line switch "-check_duplicate_rules"
	- new exported function sub optimize_and_warn_deleted
	Fixed bug:
	When calculating auto interfaces,
	ignore secondary interfaces at unmanaged devices.

2010-02-10  heinz  <heinz@Buero>

	* Netspoc.pm: Give warning for duplicate elements in group or policy.

2010-02-08  heinz  <heinz@Buero>

	* Netspoc.pm: Unenforceable rules give warnings now.

	* Netspoc.pm: Ignore unenforceable rules from / to any when other
	end is inside this any.

2010-02-05  heinz  <heinz@Buero>

	* Netspoc.pm:
	Support LAN-to-LAN IPSec tunnels with pre-shared key at ASA device.
	- peer must have fixed IP address
	- peer can be managed or unmanaged device
	- traffic is filtered at interface access list
	  using 'no sysopt connection permit-vpn'.
	  vpn-filter ACLs can't be used because they are stateless.
	No longer support crypto tunnel at PIX device.
	Support encryption aes256 for isakmp and ipsec.

2010-02-03  heinz  <heinz@Buero>

	* Netspoc.pm:
	Temporarily disabled warning for inconsistent routing through redundancy
	interfaces in case of loopback network.

	* Netspoc.pm: No longer support "split-tunnel-policy 0".

	* Netspoc.pm: Fixed a bug in setpath.
	Attribute {distance} was not set correctly at semi_managed routers.

2010-02-01  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed bug in set_auto_intf_from_border

2010-01-29  heinz  <heinz@Buero>

	* Netspoc.pm:
	Added missing 'next;' when generating 'permit ip any any' for crosslink.
	Optimized code for IOS and crosslink.

	* Netspoc.pm: Removed dead code for adding pathrestrictions to
	cleartext interface of crypto tunnel.

	* Netspoc.pm: Added attribute "crosslink" for networks.
	A crosslink network combines two or more routers to a cluster of
	routers. Filtering occurs only at the outside interfaces of the
	cluster. The crosslink interfaces permit any traffic, because traffic
	has already been filtered by some other device of the cluster.
	These characteristics are enforced for crosslink networks:
	- no hosts must be defined inside
	- all attached routers are managed and have the same managed type
	  (secondary, standard, full, primary)
	- a hardware interface attached to a crosslink interface
	  has no other logical networks attached.
	- a crosslink network must not be used in rules
	- crosslink networks are left out from
	  network:[area:xx] and network:[any:xx]

2010-01-28  heinz  <heinz@Buero>

	* Netspoc.pm: Optimized path_walk.
	old: network,router,network,router
	new: any,router,any,router.
	New optimized code to find auto-interfaces and routes inside
	'any' objects.
	Rule flag "path" is currently broken, will be removed probably.
	Never add comments to iptables because we have no one-to-one mapping.

2010-01-27  heinz  <heinz@Buero>

	* Netspoc.pm: Allow unmanaged devices with pathrestrictions.
	Internally, these devices are marked as semi_managed.
	Groups of 'any' objects which are connected by semi_managed devices
	share a common 'any cluster' mark.
	Checks for
	- unenforceable rules
	- cluster of VPN hubs
	- reroute_permit
	have been changed to any_cluster checks.

2010-01-15  heinz  <heinz@Buero>

	* Netspoc.pm: When marking a path inside a loop, add data for the
	reverse path as well to reduce runtime.

2010-01-13  heinz  <heinz@Buero>

	* Netspoc.pm:
	Convert value of {path_tuples} only once from hash to array.

	* Netspoc.pm: Optimize navigation inside a cluster of loops.
	A cluster of loops are loops which are connected by a single node
	(network or router).
	Previously, a cluster of loops was handled like a single loop.
	This was inefficient for large clusters, because path finding is slow.
	Path finding inside a cluster is implemented more efficiently now by
	using the tree structure of the loops inside the cluster.

2010-01-05  Heinz Knutzen  <hk@Buero>

	* Netspoc.pm: Spell checked.

	* Netspoc.pm: perltidy, copyright 2010

	* Netspoc.pm: Two static routes via different interfaces:
	Show warning only if static routing is enabled for both interfaces.

	* Netspoc.pm:
	For a loopback interface, no ACL is generated.  In this case, at
	iptables devices, wrong code was generated, which called the non
	existent ACL. This has been fixed.
	Additionally, all declarations of chains have been moved to the top
	of the output.

2010-01-03  Heinz Knutzen  <hk@Buero>

	* Netspoc.pm: Removed $any_local_compatibilty. any:[local] isn't
	valid syntax any longer.

	* Netspoc.pm: Removed "interface:xx.[back]".
	This was not widely used and can easily be expressed with complement:
	"interface:xx.[all] & ! interface:xx.[auto]".
	Renamed "interface:xx.[front]" back to the old syntax
	"interface:xx.[auto]" which was still valid syntax in previous versions.

	* cut-netspoc: Call fatal_err in case of unknown policy.

	* Netspoc.pm: Better error message if topology has unconnected parts:
	show only a single object of each part.
	New subroutine fatal_err is called instead of "die".

	* netspoc:
	Call &find_subnets after &setpath to prevent irritating error messages
	in case of an unconnected topology.

	* cut-netspoc: Mark network which is referenced by marked 'any' object.

2010-01-02  Heinz Knutzen  <hk@Buero>

	* cut-netspoc:
	Call expand_policies such that hosts are converted to subnets,
	because this is needed by expand_crypto.

2009-12-17  heinz  <heinz@Buero>

	* Netspoc.pm: More compact message for unenforceable rules.
	For fully unenforceable policy only name of the policy,
	but no single src / dst pairs are printed.

2009-12-16  heinz  <heinz@Buero>

	* missing-approve: New file.

2009-12-03  heinz  <heinz@Buero>

	* Netspoc.pm:
	Fixed wrong case: 'vpn-Idle-timeout' -> 'vpn-idle-timeout'

2009-12-02  heinz  <heinz@Buero>

	* Netspoc.pm: A bug had been introduced in revision 2.364:
	Too many deny rules for protecting interfaces of a router had been
	removed	because the test for any rules didn't work.
	This has been fixed.

2009-12-01  heinz  <heinz@Buero>

	* Netspoc.pm: Only generate deny rules to protect interface of IOS
	router, if a rule permits traffic to a directly connected network
	behind the device.

2009-09-18  heinz  <heinz@Buero>

	* Netspoc.pm:
	Print 'trust-point' to ipsec-attributes and not to
	general-attributes for ID ranges as well.

2009-07-22  heinz  <heinz@Buero>

	* Netspoc.pm: New attribute {is_identical} for networks, similar
	to {is_in}.  This is used to prevent duplicate code lines for
	routes, static and ACLs.  Duplicate lines occured for the case of
	different networks being translated to one identical address.

2009-07-21  heinz  <heinz@Buero>

	* Netspoc.pm:
	Allow dynamic NAT to single IP adress of loopback interface of NAT
	device.

	* Netspoc.pm:
	Fixed small bug with nat_map of policy_distribution_point.

2009-06-30  heinz  <heinz@Buero>

	* print-group: New file.

2009-06-16  heinz  <heinz@Buero>

	* Netspoc.pm: exported is_autointerface

2009-06-10  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed handling of internal atribute {id_rules} which
	is used to collect ACLs of VPN users. Now local_optimization is
	applied to these ACLs as well.

	* Netspoc.pm: Fixed syntax error.

2009-05-29  heinz  <heinz@Buero>

	* Netspoc.pm:
	Abort, if 'established' would be needed at ASA-VPN.

2009-05-19  heinz  <heinz@Buero>

	* Netspoc.pm: Added support for stateless tunnel interfaces of ASA VPN.

2009-05-18  heinz  <heinz@Buero>

	* Netspoc.pm:
	Bug fix:
	all vpn-filter of hardware clients accidently got the same name.

2009-05-14  heinz  <heinz@Buero>

	* Netspoc.pm:
	Generate split_tunnel_networks even if list is empty.

2009-05-13  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed path of iptables-restore for IPTables.

2009-05-11  heinz  <heinz@Buero>

	* Netspoc.pm:
	IPTables: Define chain droplog and use it instead of DROP.

2009-05-08  heinz  <heinz@Buero>

	* Netspoc.pm: Optimized generation of default route.

2009-05-05  heinz  <heinz@Buero>

	* Netspoc.pm:
	Better check radius_attributes of ASA-VPN.
	Additional values are supported now,
	like trust-point and authentication-server-group.

2009-05-04  heinz  <heinz@Buero>

	* Netspoc.pm:
	Fixed check for duplicate IDs of different hosts coming into current
	hardware interface / current device.

2009-04-30  heinz  <heinz@Buero>

	* Netspoc.pm:
	Generate object-groups for ACLs of VPN users as well.
	Object-groups are no longer printed in one block, but are located
	before the ACL where they are referenced first.
	den verwendenden ACLs generiert.

	* Netspoc.pm: Fixed parser: error_atline -> syntax_err

	* Netspoc.pm: Already check for duplicate IDs in expand_crypto.
	Already distribute rules for single software VPN clients in
	rules_distribution.
	VPN configuration for a VPN user is still generated even if ACL
	is empty.
	Generate standard ACL for VPN user at ASA VPN. No longer do special
	optimization which is done at VPN3K devices.

2009-04-08  heinz  <heinz@Buero>

	* Netspoc.pm: Don't add extra deny rules at interface specific chains.
	Deny rules at builtin chains are sufficient.

2009-04-07  heinz  <heinz@Buero>

	* Netspoc.pm:
	Pathrestriction at a border interface of a loop is supported now.
	Valid paths inside a loop can now be defined individually depending
	on the interface where the loop is entered.
	sub intf_loop_path_mark has been removed.
	It has been substituted by an additional test in loop_path_mark1,
	which checks the special situation where a path starts or ends at
	an interface with pathrestriction.

2009-03-30  heinz  <heinz@Buero>

	* Netspoc.pm:
	Better warn message for two static routes to different hops.

	* Netspoc.pm: Allow more than one no_check interface.

2009-03-27  heinz  <heinz@Buero>

	* Netspoc.pm: Add pathrestriction to tunnel interfaces, which
	belong to real interface which has a pathrestriction.

2009-03-19  heinz  <heinz@Buero>

	* Netspoc.pm: Added closedir to sub read_file_or_dir

2009-03-17  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed syntax for group-policy $global_group_name

2009-03-06  heinz  <heinz@Buero>

	* Netspoc.pm:
	Removed "value" from "split-tunnel-policy value tunnelspecified"

	* Netspoc.pm: Removed "value" from "vpn-group-policy value $name"

	* Netspoc.pm:
	Changed "crypto ca certificate map" and "tunnel-group-map" commands.
	No longer generate one big command with a single name and different
	indexes	for different users, but a single command with different name
	and fixed index for each user.

2009-03-03  heinz  <heinz@Buero>

	* Netspoc.pm: Check for duplicate ID at ASA_VPN device.

	* Netspoc.pm: Removed unused sub equal.

	* Netspoc.pm: ASA-VPN: fixed "ip local pool"

	* Netspoc.pm: Printing of object-groups of ASA-VPN:
	indent network-objects.

2009-02-13  heinz  <heinz@Buero>

	* Netspoc.pm:
	Support port address translation (PAT) to an interface for PIX and ASA.

2009-02-09  heinz  <heinz@Buero>

	* Netspoc.pm: No attribute 'radius_servers' for model ASA,VPN.
	Check for exactly one interface with attribute no_check is done while
	parsing.

	* Netspoc.pm: Fixed mark_primary, mark_secondary: Test
	for {active_path} has been added to prevent deep recursion.

	* Netspoc.pm: Fixed check_vpnhub: test only 'no_check' interfaces.
	Fixed set_policy_distribution_ip: start with router, instead of
	arbitrary interface when searching interface to
	policy distribution point.

2009-02-03  heinz  <heinz@Buero>

	* Netspoc.pm: Removed duplicate path_mark in path_auto_interfaces.

2009-02-02  heinz  <heinz@Buero>

	* Netspoc.pm:
	Fixed bug in intf_loop_path_mark:
	some interfaces were missing from %key2obj.
	Better error checking in loop_path_walk.
	Better error checking while generating routes for encrypted traffic.

2009-01-30  heinz  <heinz@Buero>

	* Netspoc.pm: Better error message if no valid path was found.

2009-01-27  heinz  <heinz@Buero>

	* cut-netspoc: Adapted to new implementation of crypto tunnels.

	* Netspoc.pm: Removed unused variable @tunnels.

	* Netspoc.pm:
	Attribute {hub} and {spoke} now reference a crypto object and
	no longer a crypto name.
	Removed attribute {has_tunnel}. Check {hub} und {spoke} instead.

	* Netspoc.pm:
	Moved execution of gen_tunnel_rules from link_tunnels to expand_crypto,
	to prevent rules for disabled tunnels.

	* Netspoc.pm: Ignore disabled tunnel in expand crypto.

	* Netspoc.pm:
	Removed useless $any->{active_path} = 1; in sub setarea1.

2009-01-19  heinz  <heinz@Buero>

	* Netspoc.pm:
	Print number of expanded rules before and after optimization

	* Netspoc.pm: Generate optimized chains for iptables. Large
	chains are split into smaller ones using bisection. The number of
	tests for each checked packed is largely reduced. Syntax for
	iptables has been changed to be used by iptables-restore.

	* Netspoc.pm: Removed unused code
	 elsif ($type eq 'Local') { ... }

	* Netspoc.pm: Support for ASA as VPN-concentrator.

2009-01-09  heinz  <heinz@Buero>

	* Netspoc.pm: Conversion from auto_crypto to tunnel_all.
	This allows to assign VPN clients to different VPN servers.
	New syntax:
	At interface of vpn server: hub = crypto:name
	At interface of VPN client: spoke = crypto:name
	'name' is used to connect client and server.
	Attribut 'auto_crypto' at VPN server isn't needed any longer.
	Attributes 'hub', 'spoke' und 'mesh' cease to exist in crypto
	definition, because they move to interface definition.
	The crypto definition has a new  attribute 'tunnel_all'.
	It defines that all traffic will be encrypted.
	The previous crypto rules, which defined to be encrypted traffic
	are no longer supported.
	A cluster of VPN servers is defined by adding the same value for 'hub'
	at each server interface.
	The tunnel between spoke and hub is implemented internally
	by two interfaces and one network with IP 'tunnel'.
	This leads to a significant increase of cyclic parts of the topology.
	Surprisingly it didn't increase the runtime of "path_mark"
	significantly. Hence, we don't need to do more optimization here.

2008-11-20  heinz  <heinz@Buero>

	* Netspoc.pm: Added consistency check:
	All interfaces and hosts of a network must be located in that part
	of the network which doesn't overlap with some subnet.

2008-11-10  heinz  <heinz@Buero>

	* Netspoc.pm: Make result of intersection deterministic.

2008-09-26  heinz  <heinz@Buero>

	* Netspoc.pm: Relaxed a too strong check for consistent 'any'
	rules in a topology with HSRP and stateless routers.

2008-07-25  heinz  <heinz@Buero>

	* Netspoc.pm: fixed interface:[area:xx].[front|all]
	It didn't work for area with only managed devices.

2008-07-14  heinz  <heinz@Buero>

	* Netspoc.pm: New check for groups:
	Private group must not reference private element of other context.
	Public group must not reference private element.

2008-07-02  heinz  <heinz@Buero>

	* Netspoc.pm:
	Prepare removal of duplicate occurences of the same IP address from
	a group of virtual interfaces.
	Bring the group of interfaces into an arbitrary order.
	This is used in local_optimization to remove all but one interface.

2008-06-27  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed a bug which was introduced in revision 2.302:
	Answers to packets sent by a device itself weren't permitted any longer.
	This prevented e.g. NTP from working.

	Added the concept of 'private' configuration contexts.  All
	definitions inside a directory or a file named 'xxx.private' are
	marked as private for 'xxx'. All other definitions stay public.
	Private definitions have some restrictions to prevent inadvertent
	changes from other parts of a large set of configuration files:
	- a private network object (host, network, interface, any) may only be
	  referenced by private rules, crypto definitions and pathrestrictions
	  of the same context.
	- only a private interface may be attached to a private network;
	  both must belong to the same private context.

2008-06-26  heinz  <heinz@Buero>

	* Netspoc.pm: Fixed bug with secondary interfaces and area
	definition.  A secondary interface is ignored now, when searching
	borders of an area.

	* Netspoc.pm: Fixed bug which was introduced in revision 2.298.
	No interface commands were printed for devices with type IOS_FW

	* Netspoc.pm:
	If a network with attribute 'route_hint' or an unnumbered network or
	interface is explicitily placed into a rule or group it is no longer
	silently discarded but a warn message is printed.

2008-06-24  heinz  <heinz@Buero>

	* Netspoc.pm:
	- Support virtual at interface without an IP address.
	- Support virtual loopback interface
	- Support attribute 'subnet_of' for loopback interface.
	- Internally handle a virtual interface as the main interface
	  if available.
	- Simplified handling of internally created network for loopback
	  interfaces.
	- Simplified handling of 'disabled' interfaces.

2008-06-23  heinz  <heinz@Buero>

	* Netspoc.pm:
	Allow multiple loopback interfaces per hardware interface.
	Allow loopback interface additionally to standard interface.

2008-06-11  Heinz Knutzen  <hk@Buero>

	* Netspoc.pm: Optimized set_policy_distribution_ip.

2008-06-10  Heinz Knutzen  <hk@Buero>

	* Netspoc.pm: New attribute policy_distribution_point for hosts.
	Mark the netspoc server with this attribute.
	If used, it adds a comment to the generated code file
	with that IP address of the device which is used to reach
	the device from the netspoc server.

2008-06-05  heinz  <heinz@Buero>

	* Netspoc.pm: No longer print multiple interface commands for IOS.

2008-06-01  Heinz Knutzen  <hk@Buero>

	* Netspoc.pm:
	New filter types 'primary' and 'standard' have been introduced for
	managed devices.
	If a device is marked as primary, all rules which pass this device,
	are implemented as secondary filters on other devices which are marked
	either as 'standard' or as 'secondary'.
	The effect of 'primary' can be overridden by choosing the filter type
	'full' at an other device.
	The default filter type for devices which are simply marked as
	'managed' was changed from 'full' to 'standard'.

2008-05-28  Heinz Knutzen  <hk@Buero>

	* Netspoc.pm:
	removed duplicate whitespace in generated Cisco access-lists.

	* Netspoc.pm: Added support for Cisco ASA.
	- uses keyword 'extended' in access-lists.
	- no identity NAT commands are generated.
	Reworked NAT code.
	Fixed a minor bug in NAT code:
	static src NAT was missing, if only outgoing traffic occured.

2008-04-29  heinz  <heinz@Buero>

	* Netspoc.pm: New syntax:
	- "foreach" keyword in "user" definition of a policy.
	- Usage of keyword "user" in rules is now allowed in nested
	  expressions.
	- any:[user] together with "foreach" is the new notation
	  for any:[local]
	Example:
	policy:test = {
	 user = foreach group:some_networks;
	 permit src = user;
	        dst = network:[interface:[interface:[user].[all]].[all]];
		srv = service:ip;
	}
	==> every network of group:some_networks is allowed to talk with
	its neighbor networks.
	- Implemented compatibility mode:
	  'local' is equivalent to 'user' but implies 'foreach'.
	  In this caes, a policy must have exactly one rule.
	- Additional test for "disabled" in expand_group1.
	- Support for interface:[any:..].[all] in expand_group1.
	- Make results more deterministic:
	  sort {networks} of 'any' objects not only by IP, but by mask and IP.
	  sort {anys} of ares by name to get deterministic
	  results for network:[area:xx]
	- Duplicated single and double quotes in character classes of regexes
	  to not confuse syntax highlighting.

2008-01-17  heinz  <heinz@Buero>

	* Netspoc.pm: Better error message vor unconnected part of the
	topology.

	* Netspoc.pm: Fixed bug for intersection with more than two elements.

2008-01-14  heinz  <heinz@Buero>

	* Netspoc.pm: Bug fix: use hardware interface name, not logical
	interface name in EZVPN ACL.

	* Netspoc.pm: check_unused_groups didn't work since version
	2.274. This has been fixed.  Removed newly introduced check for
	unused areas.

2008-01-11  heinz  <heinz@Buero>

	* Netspoc.pm: bug fix: result of interface.xx.[back] was always
	empty if interface was located inside a loop.

	* Netspoc.pm: add attribute is_used to objects which are
	referenced in automatic group definitions to get consistent
	results with cut-netspoc.

	* cut-netspoc: handle attribute reroute_permit

2008-01-10  heinz  <heinz@Buero>

	* Netspoc.pm: Added automatic group network:[any:xx].

2008-01-09  heinz  <heinz@Buero>

	* Netspoc.pm:
	Put attribute 'managed' at network which is directly attached to a
	managed	router.  Put only interfaces into path_tuples where the
	corresponding object has attribute 'managed'. This is sufficient
	to get ACLs to managed routers and to find the next hop interfaces
	when generating static routes on managed routers.

	* Netspoc.pm:
	Better error handling for disabled interface without attached network.

	* Netspoc.pm:
	changed model->{name} back to "IOS_FW" for "model = IOS, FW"

	* Netspoc.pm:
	Support "easy vpn" for IOS router.
	Only implemented for auto_crypto case.
	Activate easy vpn by adding attribute "EZVPN" to model name:
	"model = IOS, EZVPN;"
	Introduced attributes for router names.
	Currently attributes "EZVPN" and "FW" are supported for model "IOS".
	Model "IOS_FW" should now be written as "IOS, FW".
	Crypto ACLs for EZVPN and crypto maps for IOS now get deny rules
	to protect router's own interfaces.

2008-01-07  Heinz Knutzen  <hk@Buero>

	* Netspoc.pm:
	moved EOF test from skip_space_and_comment to read_file to improve
	performance for perl 5.10.0

2008-01-01  Heinz Knutzen  <hk@home>

        * Makefile: added script start-jobs to tar-file

        * index.html: Copyright 2008

        * pre-lang.html:
	- loopback interfaces
        - automatic groups
        - object set for area,  pathrestriction, radius_servers

        * Netspoc.pm: Copyright 2008

        * Makefile: add to tar-file: *.c files, newpolicy.pl

        * Makefile: added rules to compile C programs:
	newpolicy, append-commitlog, suid-cvs

        * Netspoc.pm:
	Bugfix: Use read_intersection instead of read_complement for area,
	policy, pathrestriction, crypto tunnel and rule.
	Bugfix: Correct data structure for mesh of crypto tunnels.

2007-12-30  Heinz Knutzen  <hk@home>

        * Netspoc.pm:
        Allow long interface definition without IP, useful for defining a
        disabled short interface.

        * Netspoc.pm: Implemented network:[local].
        any:[local] and network:[local] are both represented
        by an object of type 'Local'.

2007-12-29  Heinz Knutzen  <hk@home>

        * Netspoc.pm:
        any:[local] and Autointerfaces are not allowed in intersection.
        Implemented intersection of multiple non complemented values.

2007-12-23  Heinz Knutzen  <hk@home>

        * Netspoc.pm: Better error messages for complement and intersection.

        * Netspoc.pm: Comment for "local $input".

2007-12-21  heinz  <heinz@home>

        * pre-lang.html: introduced object set, complement, intersection

        * pre-lang.html: Extended selector of interfaces: front | back | all

        * pre-lang.html: Better documentation for attributes of area.
        auto_border is no longer required for anchor.

        * pre-lang.html: removed any:[all]

        * pre-lang.html: removed 'every' objects

        * pre-lang.html: added service flags

2007-12-20  heinz  <heinz@home>

        * Netspoc.pm: Free memory of %groups in check_unused_groups

        * Netspoc.pm: Prepare rules for local_optimization only once at
	end of rules_distribution.  Free memeory of expanded_rules at end
	of rules_distribution.

2007-12-19  heinz  <heinz@home>

        * Netspoc.pm:
        Free memory of some global hashes when their content is no longer used.
        Reduces memory usage by about 10%.

2007-12-14  heinz  <heinz@home>

        * pre-lang.html: Better explanation for reverse rules for tcp, udp, ip.

2007-12-12  heinz  <heinz@home>

        * pre-lang.html: interface:.x.[all] without short interfaces.

        * pre-lang.html: Secondary IPs and secondary interfaces.

        * pre-lang.html:
        removed old documentation for attribute "managed" of interfaces

        * netspoc.pod: command line switch: --time_stamps

2007-12-11  heinz  <heinz@home>

        * pre-lang.html:
        A pathrestriction is automatically added for each group of interfaces
        belonging to a VRRP or HSRP cluster.

        * pre-lang.html: Remote access and Cisco VPN 3000 devices.

        * Netspoc.pm: Allow complement and inverted elements additionally in
        policies, areas, pathrestrictions, crypto.

2007-12-10  heinz  <heinz@home>

        * Netspoc.pm: removed debug statement in expand_group

        * Netspoc.pm:
        expand_group: leave order of elements untouched when removing
	duplicates.

        * Netspoc.pm: first try with complement and inverted groups,
        example: group:g = network:[area:a] & !network:n;
        means all networks from area:a without network:n

2007-12-07  heinz  <heinz@home>

        * Netspoc.pm:
	A VPN router for remote office can now be used as a backup
	mechanism for larger locations. But only traffic from the directly
	attached network is allowed to cross the VPN router. This can be
	achieved by tunneling all the other traffic throug a GRE tunnel.

2007-11-09  heinz  <heinz@home>

        * start-jobs: + eval $line

        * start-jobs: enhanced usage message

        * start-jobs:
        Wait for remaining processes to be finished before exiting.

        * start-jobs: Added
                echo '*Finished*'

        * start-jobs:
        Added parameter -r to commnd 'jobs' to only count running processes
        and no status codes.
        Added comments.

2007-11-08  heinz  <heinz@home>

        * Netspoc.pm: Added minimal POD

        * Netspoc.pm: Added a standard $VERSION variable for this module.

        * Netspoc.pm: Introduced loopback interfaces:
        - no attached network
        - no ACLs generated
        - declared by additional attribute 'loopback'
        - limited set of attributes allowed: ip, hardware, nat
        - Loopback interfaces of different routers may share the same name
          e.g. router:r1.loop and router:r2.loop
        - a loopback interface may be used in rules like other interfaces.
        - Interface and network with identical IP address is no longer allowed.
        Rules with service having src_path or dst_path flag:
        - Auto interfaces are supported now.
        Rules with service having src_net or dst_net flag:
        - 'Any' objects are no longer rejected but left unchanged.
        - Hosts having a vpn id are left unchanged.
        - Interfaces of manged routers are left unchanged.

2007-11-02  heinz  <heinz@home>

        * Netspoc.pm:
        Check for interface and network having equal IP adress now is done for
	/32 mask as well.

2007-11-01  heinz  <heinz@home>

        * cut-netspoc: adapted to new Netspoc.pm
        - path_auto_interfaces
        - no every objects
        - group any:local no longer exists.

        * Netspoc.pm:
	- Extended auto interfaces:
          - added [back] to denote interfaces at the back side.
          - renamed [auto] to [front]
        - Extended syntax for 'automatic' objects and object-groups:
          - interface:[network:xx].[all|front|back]
            select all or some interfaces of a network.
          - interface:[interface:xx.yy].[all|front|back]
            equivalent to interface:xx.[all|front|back];
            may be useful if inner interface is result of group expansion.
          - network:[interface:xx.yy]
            the network attached to an interface.
          - network:[host:xx]
            the network attached to a host.
          - network:[network:xx]
            the network itself;
            may be useful if inner network is result of group expansion.
          - any:[interface:xx.yy]
          - any:[host:xx]
          - any:[network:xx]
          - any:[any:xx]
            The security domain where the inner object is located.
          - Additionally, a list of objects or groups may be given
	    as value in brackets
            e.g. network:[host:x1, host:x2, group:other_hosts]
          - interface:[managed & ... ].[all|front|back]
            Result is restricted to managed interfaces.
        - Restriction for auto interfaces:
          Auto interfaces, i.e. with [front] or [back] must only be used
	  at toplevel and not as inner object of other automatic objects.
          There is one exception from this rule:
          interface:[interface:xx.[front|back]].[xx] is allowed.
	  In this case the inner selector is ignored and the outer
	  selector xx is used.
        - An area can now be defined with anchor but without auto_border
          to simplify definition of an area containing the whole topology.
        - interface:[managed].[xx] and interface:[all].[xx] are
	  no longer supported.
          Define an area area:all, containing the whole topology and
          use it to define an equivalent set of interafces:
          interface:[managed & area:all].[xx] and interface:[area:all].[xx]
        - any:[all] is no longer supported, use any:[area:all] instead.
        - 'every' objects are no longer supported,
	  use network:[area:xx] instead.
        - Groups can now be used to define interfaces of pathrestriction.

        * newpolicy.pl:
        Better handling of different policy numbers from diamonds/netspoc/current
        and netspoc/POLICY

2007-10-09  Heinz Knutzen  <hk@home>

        * Netspoc.pm: Introduced flags for services.
        Syntax:
        service:name = ip|tcp|udp|icpm|proto [number], [flag, ...];

        Wenn ein Service mit Flag in einer Regel angewendet wird, dann wird die
        Regel wie folgt veraendert:
        - stateless
        The rule is only applied to stateless devices.
        - reversed
        Source and destination are swapped.
        - oneway
	At stateless devices, don't automatically generate rules
	to permit answer packets.
        - dst_path
	The rule is replaced by n rules where the destination is
	substituted by interfaces i. i is defined by this rule: Take from
	each packet filter on the path from source to destination that
	interface i which is headed in source direction.
	This flag can be combined with flags dst_net or dst_any to not get
	the interface but the corresponding network or 'any' object.
        - dst-net
        Substitute destination of rule by the containing network.
        'Any' objects are not allowed.
        - dst_any
        Substitute destination of rule by the containing 'any' object.
        - src_path, src_net, src_any
        Equivalent to dst_* flags but with source replaced.

        Results of get_any, get_path are cached for speed improvement.

2007-10-05  heinz  <heinz@home>

        * Netspoc.pm: Cache results of find_smaller_srv.

        * Netspoc.pm:
        Combine %rule_tree and %reverse_rule_tree into a single %rule_tree
        with additional attribute 'stateless'.

2007-10-04  heinz  <heinz@home>

        * netspoc: removed call to optimize_reverse_rules

2007-10-01  heinz  <heinz@home>

        * start-jobs: New file.

2007-09-21  heinz  <heinz@home>

        * Netspoc.pm: areas defined by anchor and auto_border:
        - don't access {intf_lookup}
        - set attribute {border}

2007-09-20  heinz  <heinz@home>

        * loginfo: New file.

        * newpolicy.pl: Reworked. can now run setuid.
	Doesn't any longer ask for log message but always takes "pxxxx".

        * append-commitlog.c, newpolicy.c, suid-cvs.c: New file.

        * cvs-log.pl: Parsed output is written to STDOUT

2007-09-13  heinz  <heinz@home>

        * cvs-log.pl: New file.

2007-09-12  heinz  <heinz@home>

        * netspoc:
	Don't use $FindBin::Bin because it doesn't run with tainting and
	is considered buggy. Instead use
	File::Basename::dirname(File::Spec->rel2abs($0)) and untaint its
	result.

        * Netspoc.pm: Sort networks with equal IP by NAT-IP,
        when printing routing and static commands.

        * Netspoc.pm:
        PIX global command:
	If pool consists of one single IP, use "IP", not "IP-IP"

        * Netspoc.pm:
        Added two taint checks for the case when netspoc is running suid.

2007-08-31  Heinz Knutzen  <hk@home>

        * newpolicy.pl:
        Add flag '-A' to initial "cvs update" to prevent usage of sticky tags.

2007-08-30  Heinz Knutzen  <hk@home>

        * Netspoc.pm: Short interfaces (without known IP address)
        are no longer element of interface:*.[all]

        * Netspoc.pm: Enhanced command generation for PIX with dynamic NAT.
        If multiple networks are mapped to a single dynamic pool,
        now a single "global" command is generated,
        which is referenced by multiple "nat" commands.

        * Netspoc.pm:
        VPN3K devices can't handle access lists with check for ICMP type.
        Only simple ICMP can be checked for.
        Netspoc aborts now if it would generate code which VPN3K devices
	can't handle.

2007-07-18  Heinz Knutzen  <hk@home>

        * Netspoc.pm:
        An interface with multiple IP addresses is internally represented by
        multiple interfaces with exactly one IP address. These additional
        interfaces are called secondary interfaces. In previous versions, if
        an interface was referenced in a rule, all IP addresses are used.
        Now, only the first (primary) IP address is used. You have to add the
        secondary interface to get its IP address used.

        A Secondary interface by default gets a name which is derived from the
        name of the primary interface by adding an incrementing number
        beginning with "2".  E.g. interface:router.name.2,
        interface:router.name.3 .

        This naming scheme is used, if a list of ip addresses is specified
	for an interface. Alternatively, individual names can be given by
	a new syntax:
        interface:name = {
	 ip = 1.2.3.4;
	 secondary:name2 = { ip = 1.2.3.99; }
        }

        * cut-netspoc: Added RCS $Id: ChangeLog,v 1.1 2008/01/02 19:26:25 hk Exp hk $
        Copyright 2007

        * netspoc: Copyright 2007

        * netspoc: Added RCS $Id: ChangeLog,v 1.1 2008/01/02 19:26:25 hk Exp hk $

2007-07-01  Heinz Knutzen  <hk@home>

        * index.html: Copyright 2007

        * TODO: crypto, vpn3k

2007-06-15  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Fixed a bug with "disabled" flag of interfaces:
	netspoc crashed if this flag was used at a non managed router.

	* Netspoc.pm: local_optimization: convert any objects to network_00
	only for $expanded_rules{any}

	* Netspoc.pm: Fixed a bug in path_walk.
	The case were two different loops touch each other directly
	wasn't handled.	This can occur if one loop starts at a network and
	the other one at a router and router an network are directly connected.

2007-05-19  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Corrected errors when handling
	- disabled interface without attached network,
	- area with only disabled interfaces.

2007-04-10  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Added new pragma
	use open ':locale';
	which should work with both old style locale and utf8.
	This works for perl 5.8.6 and above.

2007-04-08  Heinz Knutzen  <hk@home>

	* cut-netspoc: Handle attribute $router->{radius_servers}

2007-04-02  heinz  <heinz@home>

	* Netspoc.pm:
	Code cleanup in path_mark.

	* Netspoc.pm: Better formatting of time stamp

	* Netspoc.pm: New command line option "-time_stamps".
	Adds time stamps in seconds when printing compilation steps
	in verbose mode.

2007-03-29  heinz  <heinz@home>

	* pre-lang.html: interface:[managed & area:name]
	Copyright 2007

	* pre-lang.html: Interface with negotiated IP.

	* pre-lang.html: Deny rules for any rules aren't generated any longer.

	* pre-lang.html: Removed attribute "managed" of interfaces.
	Better explanation of secondary packet filters.

2007-03-28  heinz  <heinz@home>

	* Netspoc.pm: Removed attribute "managed" of interfaces.
	Optimized implementation of mark_secondary_rules.

2007-03-20  heinz  <heinz@home>

	* Netspoc.pm:
	Different hosts inside a network must not have the same IP address.
	This isn't enforced for IP ranges.

2007-03-07  heinz  <heinz@home>

	* Netspoc.pm:
	optimize_rules: shorter code.

	* Netspoc.pm: Added check_for_transient_any_rule.
	If we have a security domain any_A and two rules
	 permit XX any_A and permit any_A YY
	then this implies
	 permit XX YY
	which may not have been wanted.
	Netspoc now looks for this situation and aborts if the implied rule
	is not explicitly defined.


2007-02-09  heinz  <heinz@home>

	* Netspoc.pm: Implemented more checks for vpn3k devices.

2007-02-07  Heinz Knutzen  <hk@home>

	* Netspoc.pm: iptables: -s 0.0.0.0/0 -d 0.0.0.0/0 is ommited.
	Check for network_00 in find_chains

	* Netspoc.pm: IDs of hosts and networks no longer need to have a '@'.
	IDs of subnetzen always need to start with '@'.
	IDs of hosts must not start with '@'.

2007-02-06  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Disabled interface wasn't fully disabled when routing=OSPF.

	* Netspoc.pm:
	- New attribute {interfaces} at virtual interfaces.
	- Pathrestrictions are added automatically for each set of
	  virtual interfaces.
	- Special handling for paths starting or ending at an interface inside
	  a subgraph. For routing and pathrestrictions the interface must be
	  handled as part of the attached network.
	  But for ACLs it must be handled as part of the attached router.

2007-01-19  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Sort networks of split tunnel list for vpn3k.

	* Netspoc.pm: auto_crypto: network must have exactly one network.

	* Netspoc.pm: Removed unused symbols from @EXPORT

2007-01-17  Heinz Knutzen  <hk@home>

	* Netspoc.pm: find_object_groups / find_chains:
	used nat_map instead of bind_nat because both are equivalent
	at a single router.

	* Netspoc.pm: find_object_groups / find_chains:
	clarified code in local function get_group / get_chain.

2007-01-16  Heinz Knutzen  <hk@home>

	* Netspoc.pm: print_acl:
	XRRP handling: better comment for $dst_range.
	protect own interfaces: swapped IOS/iptables, used elsif.
	Generate code: $name -> $acl_name.

2007-01-15  Heinz Knutzen  <hk@home>

	* Netspoc.pm: No tab in route command for IOS and PIX.

2007-01-04  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Removed unsed variable declaration and related comment.

	* Netspoc.pm:
	Error messages for identical networks or networks with undeclared
	subnet relation no longer use name of NAT domain,
	but nat:tag from original syntax.

2007-01-03  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Negotiated interfaces are no longer removed from auto-object-groups and
	from ther result of get_auto_interface.

2007-01-02  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Code cleanup.
	- New sub set_src_dst_range_list which fills new attribute
	  src_dst_range_list of services. This is called from expand_services.
	- New attribute is used in expand_rules instead of repeated calls
	  to expand_splitted_services.
	- Extracted sub link_crypto_rule_with_tunnel from sub expand_crypto.

	* Netspoc.pm: Ignore disabled interfaces as crypto tunnel endpoints.

2007-01-01  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Code cleanup.
	- Extracted sub mark_tunnels from sub expand_crypto.
	- Extracted new sub link_ipsec from sub expand_crypto.

2006-12-31  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Code cleanup.
	Moved call of link_pathrestrictions from link_topology to setpath
	and integrated additional tests.

2006-12-30  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Code cleanup.
	- Extracted code from sub setpath to new function
	  check_virtual_interfaces.
	- Clarified arguments to call of setpath_obj inside sub setpath.

2006-12-04  heinz  <heinz@home>

	* Netspoc.pm:
	- Model VPN3K no longer needs to be managed 'secondary'.
	- In distribute_rule:
	  Mark VPN network with applicable vpn3k devices,
	  i.e. the first vpn3k device(s) on the path from src to dst.
	- Better formatting of XML code vor VPN3K.
	- Generate deny rules for auto_deny_networks at VPN3K.
	- Generate split-tunnel networks at VPN3K.
	- Check for maximum of 39 ACL lines at VPN3K
	  (to prevent too large RADIUS packets).

2006-11-09  heinz  <heinz@home>

	* cut-netspoc: Handle auto_crypto interfaces.

2006-10-13  heinz  <heinz@home>

	* Netspoc.pm: More work for vpn3k.

2006-10-12  heinz  <heinz@home>

	* Netspoc.pm:
	Added new syntax to select interfaces of an area.
	interface:[managed & area:name].[x] or
	interface:[all & area:name].[x] with [x] from [all] or [auto].

2006-10-11  heinz  <heinz@home>

	* Netspoc.pm:
	Sort auto_crypto peers by IP address to get deterministic code.
	Reihenfolge hat.

	* Netspoc.pm:
	Fixed bug in find_object_groups.

2006-10-10  heinz  <heinz@home>

	* Netspoc.pm:
	Fixed bug in convert_hosts.

	* Netspoc.pm: Better error checking for vpn3k.

2006-10-06  heinz  <heinz@home>

	* Netspoc.pm: More work for vpn3k.

2006-07-10  heinz  <heinz@home>

	* Netspoc.pm:
	No longer populate ref2obj for every rule, but only once for all
	networks, interfaces, subnets and anys.
	New ref2srv for services.

	* Netspoc.pm:
	Bug fix: Added missing "static" entries at pix devices for networks
	which have a dynamic NAT at some other device.

2006-07-03  heinz  <heinz@home>

	* Netspoc.pm: Better syntax check for illegal attribute in read_nat.

2006-06-02  heinz  <heinz@home>

	* Netspoc.pm:
	find_subnets: Take original $bignet,
	not the NATted one in subnet_of test.

2006-05-03  heinz  <heinz@home>

	* Netspoc.pm:
	Fixed bug with ref2obj and networks from optimization
	of secondary routers.

2006-03-14  heinz  <heinz@home>

	* Netspoc.pm: New optional internal attribute 'prio'.
	Rules with a high-prio service are placed first.
	ESP got prio got prio 100, AH got prio 99.

	* Netspoc.pm: Corrected syntax for iptables sport and dport.

2006-03-06  heinz  <heinz@home>

	* Netspoc.pm:
	Fixed a bug in parser.
	Lists of values must be separated by comma,
	only whitespace isn't valid any longer.

	* Netspoc.pm:
	Better handling of negotiated interfaces.

2006-03-02  heinz  <heinz@home>

	* Netspoc.pm: Generate code for ID hosts, even if no_check is active.

	* Netspoc.pm:
	Fixed bug in check for identical IP addresses of virtual interfaces.

	* Netspoc.pm: Support of nat traversal for ipsec.

	* Netspoc.pm: Fixed bug in auto_crypto, not only a network
	but also a host triggers tunnel creation.

2006-03-01  heinz  <heinz@home>

	* Netspoc.pm:
	- ignore unnumbered and negotiated interfaces from .[auto]
	- Better error-message for dst with mask 0.0.0.0 in pix static
	- only apply auto_crypto for traffic which passes vpn3k, but not if
	  traffic ends at interface of vpn3k.

2006-02-28  heinz  <heinz@home>

	* Netspoc.pm:
	added support for IPSec attributes identity, 2x lifetime and
	authentication. But no code is generated for IOS
	if default values are used.

2006-02-27  heinz  <heinz@home>

	* Netspoc.pm:
	dropped support for IPSec attributes identity, 2x lifetime and
	authentication.

2006-02-24  heinz  <heinz@home>

	* Netspoc.pm:
	Generally, no  auto_default_route is generated if a network 0.0.0.0/0
	is defined.
	This has been relaxed, if network 0.0.0.0/0 has a route_hint.

	* Netspoc.pm: IP / mask of network now can have value 0.

	* Netspoc.pm: added support of negotiated Interface.
	automatically add rules which permit encrypted traffic
	of auto_crypto tunnels.

2006-02-21  heinz  <heinz@home>

	* Netspoc.pm: new attributes in language: auto_crypto, no_check

2006-01-30  heinz  <heinz@home>

	* Netspoc.pm:
	Bug fix: only attach existing crypto map to hardware-interfaces.

2006-01-18  heinz  <heinz@home>

	* Netspoc.pm: code cleanup:
	Left only one call of loop_path_walk in path_walk.

2006-01-12  heinz  <heinz@home>

	* Netspoc.pm:
	Silently ignore crypto tunnels terminating at vpn3k devices.

	* Netspoc.pm: Export crypto symbols.

	* cut-netspoc: crypto support

	* Netspoc.pm: Don't combine subnets having radius-ID.

	* cut-netspoc: added call to order_services to handle orig_srv.

2006-01-11  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Spelling.

	* Netspoc.pm: allow crypto rules with deny and any.

2006-01-11  heinz  <heinz@home>

	* Netspoc.pm: Corrected test for illegal cyclic area definition.

2005-11-01  heinz  <heinz@home>

	* Netspoc.pm:
	Better error checking when trying to access a dynamically
	NATed interface.

2005-10-24  heinz  <heinz@home>

	* Netspoc.pm: support of certificate wildcards for host ranges:
	host:id:@suffix.

2005-10-21  heinz  <heinz@home>

	* Netspoc.pm: first usable version for vpn3k.

2005-10-19  heinz  <heinz@home>

	* Netspoc.pm:
	Started work for cisco vpn3k devices.
	Certificate name may be used as name of host.

	* Netspoc.pm: mark used services for cut-netspoc

2005-09-17  Heinz Knutzen  <hk@home>

	* Makefile: added --exclude=RCS for tar command.

	* VERSION:
	* TODO:
	* NEWS.html:
	Prepare version 3.0.

	* index.html: Mentioned crypto. Removed links to email addresses
	to reduce SPAM. Removed CSPM stuff.

	* Netspoc.pm:
	Made code 64 bit clean. This was necessary for complement and left-shift
	operations on 32 bit IP addresses.

2005-09-13  Heinz Knutzen  <hk@home>

	* pre-lang.html:
	Added description for attribute 'routing=manual' of interfaces.

	* pre-lang.html:
	Added documentation for attribute no_crypto_filter of routers.

	* Netspoc.pm: Missing error if "any" object referenced unknown router.

2005-09-11  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Hub and spoke attributes must be used pairwise.

	* Netspoc.pm: Attributes 'hub' and 'spoce' of crypto definition
	may only occur once and pairwise. This has been changed to
	highlight the difference to attribute 'mesh' which indeed may be
	used multiple times to denote isolated meshes.

	* pre-lang.html:
	Added  "owner" to syntax of network, host, any and area.
	Introduced ", ..." as syntax element to denote a comma separated
	list of one or more elements.
	Substituted <xxx list> by <xxx>, ...

	* pre-lang.html: Renamed interface_name to external_name where
	whitespace and quotes are no longer allowed.

	* Netspoc.pm: read_string: String must not contain space or single
	or double quotes. This applies to names of hardware interface and
	owner.

	* pre-lang.html: ip/prefix syntax for network and NAT definition.

	* pre-lang.html: Only interfaces of managed routers must be given
	as border for areas.

	* pre-lang.html: Added documentation for areas.

2005-09-10  Heinz Knutzen  <hk@home>

	* cut-netspoc: Applied perltidy.

	* cut-netspoc: Use $Netspoc::input, no longer $_

	* cut-netspoc: Better usage message.

	* netspoc.pod: Added description for new options.
	Used some formatting codes.

2005-09-09  Heinz Knutzen  <hk@home>

	* netspoc.pod: Added documentation for reading from STDIN and writing
	to STDOUT.

	* Makefile: pod2html no longer generates bad html anchors.
	Postprocessing with
	perl -pe 's/="([^"]*)">/($_=$1,tr.A-Za-z0-9#..cd,qq.="$_">.)/e'
	isn't needed any longer and indeed it rendered external links
	useless.

	* Netspoc.pm:
	Interfaces of unmanaged router must not have attribute "managed"

	* pre-lang.html: Added description for "managed" attribute at
	interface level from branch.

	* pre-lang.html: added basic crypto syntax

	* Makefile: added cut-netspoc

2005-09-08  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	expand_rules: moved local functions to top level.
	Some adaptions to "Perl Best Practices".

2005-09-01  Heinz Knutzen  <hk@home>

	* Netspoc.pm: formatted with perltidy.

2005-08-31  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Added attribut {has_neighbor} to TCP and UDP
	services which have some adjacent range. Used this to imlement a
	more efficient optimization of port ranges.


2005-08-30  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Adjacent port ranges are automatically joined now.

2005-08-25  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Splitted handling of src and dst ports to get rid of
	the overlapping services problem.
	Added attribute src_ports to expanded rules.
	If srv holds a TCP or UDP service, src_ports holds another TCP or UDP
	service, typically a port range 1-65535.
	If srv is neither TCP not UDP, src_ports is set to protocol IP.
	All hashes of hashes over rules now additionally handle
	src_ports. No need for reverse services any longer. Now srv and
	src_port are simply swapped.
	Parser no longer uses $_ but $input instead.

2005-08-21  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Included patch about {link} in get_path from branch.

	* Netspoc.pm:
	No check for duplicate service needed in order_ranges, because
	this has been done in prepare_srv_ordering already.

2005-08-12  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Remove unused subroutine check_less_equal.

2005-08-09  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Removed unuses variables from function distribute_rule_at_dst.

	* Netspoc.pm: Added check for duplicate attribute 'owner' at area.

2005-08-05  Heinz Knutzen  <hk@home>

	* Netspoc.pm: 
	Renamed read_description to check_description and added check for
	$store_description. 
	New function check_assign_range.
	More flexible syntax: fixed order isn't required any longer for
	attributes owner, ip, range of host and
	attributes ip, unnumbered of network.

2005-07-14  Heinz Knutzen  <hk@home>

	* pre-lang.html: 
	- language.html renamed to pre-lang.html
	- Table of contents removed; it is generated automatically by
          hypertoc now.
	- CSS added.
	- Ordered attributes of network:xx by importance, since attributes
          may now be given in arbitrary order.
	- Removed router:xx from "Referencing network objects".

2005-07-13  Heinz Knutzen  <hk@home>

	* Makefile:
	language.html is created by hypertoc from raw-lang.html.

	* .hypertocrc: New file.

2005-07-10  Heinz Knutzen  <hk@home>

	* pre-lang.html: Spell checked.

2005-07-08  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Spell checked.
	Duplicate rules which may occur at loop entry are suppressed again
	in function distribute_rule.

2005-07-05  Heinz Knutzen  <hk@home>

	* Netspoc.pm: 
	Fixed bug in argument processing: assign_tri --> check_tri.  
	Fixed check for unenforceable rules, moved to expand_rules and
	made this customizable by command line argument.

2005-07-04  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Removed unused attribute 'orig_rule' in
	gen_reverse_rules and print_rule.

	* Netspoc.pm: New optional attribut "owner" at host, network, any
	and area. 

2005-07-02  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Additional syntax for 'ip' and 'mask' of networks and NAT
	definitions: ip=x.x.x.x/n with n = prefix lenght.

2005-06-30  Heinz Knutzen  <hk@home>

	* cut-netspoc:
	Handling of areas.

	* Netspoc.pm: Variable %areas exported.
	New function "is_area".
	New syntax "network:[area:xx]" and "any:[area:xx]".
	Networks with attribute 'route_hint' are left out from result of
	"every:xx" and "network:[area:xx]".

2005-06-29  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Introduced "areas". Syntax, marking enclosed
	security domains.

2005-06-21  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Usage message now describes different options.
	If command line argument "out-directory" is missing, generated code
	is printed to STDOUT.
	New parameter '-quiet'

2005-06-19  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Policies are sorted to get deterministic results.
	Check for unenforceable moved to correct location.

2005-06-18  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Generated crypto commands are bound to an interface now.

2005-06-14  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Added code for IPSec: transform, lifetime, pfs

	* Netspoc.pm:
	Only warning if disabled Interface references unknown network.

2005-06-13  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Only warning, not error for pathrestrictions with
	less than two interfaces.

	* cut-netspoc: Only print pathrestrictions with at least two
	active interfaces.

	* cut-netspoc: + gobal_nat
	Ignore internal groups from xxx:[all], there's no {src_code}.

	* Netspoc.pm: export %global_nat

2005-06-12  Heinz Knutzen  <hk@home>

	* cut-netspoc: New program file.

	* Netspoc.pm: Automatically free large content of $_ in function
	read_file.

	* Netspoc.pm: Export %pathrestrictions.

	* Netspoc.pm: Unknown networks in reroute_permit and subnet_of
	no longer abort but give a warning.

	* Netspoc.pm: Function get_path with an 'any' object as argument
	no longer returns a random network, but the network used in the
	{link} attribute. This gives a more deterministic result.

	* Netspoc.pm: preparation for new command "cut-netspoc":
	- additional symbols are exported,
	- read_file now uses STDIN if filname is "-".
	- Used "every" objects are marked with 'is_used' (like groups).

	* Netspoc.pm: Files are no longer read line by line but as a whole.
	{file} attribute is automaticaly set by read_netspoc for all global
	definitions.
	"include" keyword isn't supported any longer.
	read_file_or_dir gets an optional second parameter which defaults to
	read_netspoc. read_netspoc is exported now.
	This can be used to build a customized read_netspoc functions
	which is given to read_file_or_dir as 2nd parameter.

2005-06-09  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Generating iskmp commands for IOS + PIX.

2005-06-07  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Show warning about "unenforceable rule". This occurs if there is
	no managed router between src and dst.

2005-06-06  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Disabling parts of a cyclic graph is possible
	now. Virtual interface and pathrestrictions outside of a loop now
	gives a warning and no longer aborts.

	* Netspoc.pm: Prevent error when rules of hardware was undefined.
	THis occurs, if a managec interface gets no rules at all.

	* Netspoc.pm:
	Disabling of managed routers no longer gives a warning message.

2005-06-02  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Bugfix: secondary interface and find_related_rules: 
	Use ||= instead of |=.

	* Netspoc.pm: Attribute {loop_leave} of an interface inside a loop
	no longer uses an array but a hash to prevent duplicate
	interfaces. This is converted to an array after all interfaces
	have been collected.

	* Netspoc.pm: New syntax for port ranges from main branch.

	* Netspoc.pm: Added new routing type 'manual', which simply
	disables generating static routes and handles no dynamic routing
	protocol.  
	Interface of a network with mask = 255.255.255.255 is no longer
	checked for network and broadcast address.

2005-05-28  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Better error handling to prevent unhandled internal
	errors. 

	* Netspoc.pm: Unconnected Auto-Interface could cause an infinte
	loop during path_walk.

2005-05-26  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Merged changes about secondary interfaces from branch 2.105.1.4

	* Netspoc.pm: mark_secondary_rules: handle interfaces with
	secondary filtering level.

	* pre-lang.html:
	Description for "managed" attribute at interface level.

	* Netspoc.pm:
	Secondary or full filtering level may be defined individually at
	interface and as default value for all interfaces at router.

2005-05-25  Heinz Knutzen  <hk@home>

	* Netspoc.pm: isakmp, ipsec: values 'none' and 'off' are
	internally mapped to undef.	
	isakmp, ipsec: Identifiers of keys and values don't use '-' but '_'.
	Added internal services for natt and ah.	
	Automatically generated rules for tunnels now use info about NAT
	Traversal, IKE, ESP and AH.

2005-05-24  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Commands "crypto access-group" are generated now.

2005-05-23  Heinz Knutzen  <hk@home>

	* Netspoc.pm: $srv->{depth} has been deleted, it wasn't used any
	longer. 
	
	* Netspoc.pm:
	- New variable $use_nonlocal_exit which may be used to disable
          nonlocal exits. Disable them when using the perl profiler.
	- More efficient and more accurate functions and data structures 
	  for checking if traffic described by a rule goes (partly) 
	  through a crypto tunnel.

2005-05-06  Heinz Knutzen  <hk@home>

	* Netspoc.pm: - use '==', not 'eq', when comparing number of keys
	- set attribute {up} for interfaces and networks in sub convert_hosts
	- call expand_group for crypto rules with parameter convert_hosts=1

2005-05-05  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Merged Changes of branch: Bugfix for deny rules.

	* Netspoc.pm:
	- multiple occurrences of 'use locale' have been replaced by a
	 single occurrences at top of file. 
	- Added 'use open ":utf8"' as comment.
	- Attribut 'no_crypto_filter' in router definition.
	- crypto: definition has attribute 'type'.

	* netspoc: added call to expand_crypto.

	* NEWS.html: spelling.

	* Makefile:
	Use current working directory instead of hard coded 'develop'.

	* VERSION, NEWS.html: netspoc-2.6 (released from branch)

	* Netspoc.pm: There was a bug in local optimization which has been
	introduced in version 2.2.  Some deny rules could unadvertently be
	marked as redundant, leading to missing ACLs for these rules in
	generated code. This bug has been fixed.

2005-05-04  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	No reverse rules will be generated for deny rules of protocol TCP.

	* index.html: Added reference to mailing list.

2005-03-22  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	- parameter $name for read_xxx functions now includes type. 
	  The type was added most of the time anyhow.
	- Check for redefining global definitions was put into read_netspoc.
	- New function read_attributed_object, currently used for 
	  isakmp and ipsec.
	- Ipsec definition implemented.
	- print_crypto returns if there aren't any crypto tunnels 
	  defined for a device.

2005-03-20  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Now read isakmp definition.

2005-03-05  Heinz Knutzen  <hk@home>

	* Netspoc.pm: added crypto map syntax for IOS

	* Netspoc.pm, language.html:
	New syntax for defining both, source and destination port:
	port:port or range-range:range-range.
	Old syntax with port->port did never work, because '->' has 
	same prefix than '-'.
	Better error messages for overlapping port ranges.
	Fixed a bug in expand_policies.

2005-03-04  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Rules which permit IPSec packets of tunnels are generated
	automatically. 

2005-03-03  Heinz Knutzen  <hk@home>

	* Netspoc.pm: PIX crypto maps

2005-03-02  Heinz Knutzen  <hk@home>

	* Netspoc.pm: path_walk works with crypto.

2005-02-16  Heinz Knutzen  <hk@home>

	* netspoc, Netspoc.pm:
	Working on crypto.

2005-02-15  Heinz Knutzen  <hk@home>

	* VERSION: netspoc-2.5

	* NEWS.html: Version 2.5

	* language.html: commands generated for specific devices. ACLs are
	augmented for redundancy protocols.

2005-02-14  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Removed useless code from path_first_interfaces.

	* Netspoc.pm: Now really fixed access-group command.

	* Netspoc.pm: PIX commands icmp, telnet, ssh, http are generated now.

	* Netspoc.pm: Fixed a bug in "ip access-group" syntax for Cisco IOS.

2005-02-03  Heinz Knutzen  <hk@home>

	* VERSION, NEWS.html, TODO: Version 2.4

	* Netspoc.pm: Access list for dynamic routing protocol checks for
	src network now.

	* language.html: Extended virtual interface definition.

	* Netspoc.pm: New and extended syntax for virtual interfaces of
	redundancy protocols. Access lists for multicast packets of
	redundancy protocols are generated now.

2005-02-01  Heinz Knutzen  <hk@home>

	* Netspoc.pm: A node inside a cyclic graph will never have an
	attribute {main}; only the starting point will have. This
	property is used to simplify code of path_mark.

2005-01-30  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Better handling of path traversal for a special
	case with interfaces inside a loop as src or dst.

	Example:
	        /-r1-\
	n0-r0-n1      n2
	        \-r2-/
	
	Be src=n0, dst=interface:r1.n1
	The only valid path is
	 n0-r0-n1-r1
	The old version generated a second path by mistake:
	 n0-r0-n1-r2-n2-r1
	because it didn't notice that dst has already been reached when
	traversing n1. 
	This bug has been fixed.

2005-01-29  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Cleanup of NAT code.

2005-01-27  Heinz Knutzen  <hk@home>

	* VERSION: netspoc-2.3

	* Netspoc.pm:
	Fixed a bug in internal handling of NAT. This could lead to missing
	optimization of subnets and possibly to wrong code.

2005-01-24  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Bug fix: local_optimization no longer uses attribute
	'subnet_of', but 'is_in' for each NAT domain.

	* newpolicy: (c) 2004

	* netspoc, language.html, Netspoc.pm: (c) 2005

	* index.html: Copyright 2005, perl version 5.8

2005-01-23  Heinz Knutzen  <hk@home>

	* VERSION: netspoc-2.2

	* Netspoc.pm: no_object_groups -> no_group_code, will be observed
	by chains as well.

	* CSPM.pod: added: Written at 2002/03/11.

	* language.html: auto_default_route is disabled for routers with
	dynamic routing enabled.

	* language.html: subnet_of may be declared for NAT definitions.

	* language.html: Rules with an 'any' object as src and dst may be
	defined now.

	* language.html: + global NAT

2005-01-22  Heinz Knutzen  <hk@home>

	* language.html: name: + hyphen

	* language.html: + no_group_code

	* language.html: pathrestriction: Only interfaces of managed
	routers may be referenced.

	* language.html: removed [ static_manual; ]

	* language.html: any:[local]

	* Netspoc.pm: subnet_of: Prevent multiple error messages in
	different NAT domains.

	* Netspoc.pm: Allow virtual IP to be equal to physical IP.

2005-01-14  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Bug Fix: Don't jump out of path_walk, when
	collecting routes and statics inside a cyclic subgraph, because
	there is no defined order for traversing a cyclic subgraph.

	* netspoc.pod: Options can now be changed from command line; no
	need to change source code.

	* Netspoc.pm: Applied Getopt::Long patch from Stephane Bortzmeyer
	<bortzmeyer(at)nic(dot)fr>. Changed name of option
	warn_unused_groups to allow_unused_groups. Changed handling of
	tri-state options.

2005-01-03  Heinz Knutzen  <hk@home>

	* Netspoc.pm: NAT syntax: New concept of 'global NAT' definition,
	which is used to declare 'masquerading': A single, global NAT
	definition is applied to all networks located behind an interface.
	NAT syntax: Attribute 'subnet_of' may now be declared at local and
	global NAT definitions.

	An interface of an IOS router isn't protected automatically, if it
	is dynamically NATed at another interface of the same router.

2004-12-11  Heinz Knutzen  <hk@home>

	* Netspoc.pm: NAT syntax: Different networks may be translated to
	the same dynamic address space.

2004-12-07  Heinz Knutzen  <hk@home>

	* Netspoc.pm: find_subnets checks NATed networks as well.

2004-11-24  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Better internal data structure for NAT: NAT Domains
	and nat_map.

2004-11-21  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Check, that an 'any' or 'every' object is not linked
	to a router without interfaces.

2004-11-20  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Introduced a 'debug' function.

2004-11-13  Heinz Knutzen  <hk@home>

	* Netspoc.pm: path_walk: If destination is an interface which is
	directly connected to a network at loop entry, then walk directly
	to destination and don't use other paths inside this cyclic graph.

2004-10-21  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Validate dynamic NAT for every rule when it is distributed to a
	managed router. If a host or interface of a rule lies inside a
	dynamically NATed network, but doesn't have a static translation
	of its own, we have to be careful. 
	At our current router we could only filter for the whole network,
	because there isn't any more specific address available.
	But this relaxed filtering should only be done, if there is
	another router on the path, which does a full filtering of the
	original untranslated address. Otherwise an error is raised.

2004-10-14  Heinz Knutzen  <hk@home>

	* Netspoc.pm: New attribute $any->{unnumbered} holds all
	unnumbered networks of a security domain. This is used in get_path
	if $any->{networks} is empty.

2004-09-08  heinz  <heinz@linux>

	* netspoc: Optional argument '1' for expand_rules if conversion of
	hosts to subnets should be done.

2004-09-03  heinz  <heinz@linux>

	* Netspoc.pm: Fix: Transfer NAT attribute from hosts to subnets.

2004-09-01  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Character '-' may be used in names of hosts and
	networks now.

2004-08-22  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Check for duplicate NAT definition.

2004-07-20  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	New concept of 'subnets' in internal data structures.
	A subnet has attributes 'ip' and 'mask', like networks.
	Multiple hosts with successive IP addresses are converted to a
	single subnet object. A host with an ip address range is split
	into subnets which cover the original range.
	Two subnets are in 'subnet_of' relation if one subnet contains the
	other subnet.

2004-07-13  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Substituted many uses of is_host, is_network, etc.
	by direct calls of 'ref'. For a large configuration, this reduced
	runtime from 156 to 150 seconds.  

2004-07-11  Heinz Knutzen  <hk@home>

	* Netspoc.pm: object-groups are enabled by default now; new
	attribute no_object_groups.

	* Netspoc.pm: Prevent multiple identical routes to different
	interfaces with identical virtual IP.

	* Netspoc.pm: Fixed bug with object-groups and NAT.

	* Netspoc.pm: Disabling: handle case, where topology is completely
	disabled.

2004-07-05  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Fixed small bug in link_topology: 
	A single network must not have both, a managed and a short
	interface. This must likewise be true for an unnumbered managed
	interface. 

2004-07-04  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Rules outside of a policy aren't supported any longer.

	* Netspoc.pm: Removed unused variable @reverse_rules.

2004-07-02  heinz  <heinz@linux>

	* Netspoc.pm: Prevent multiple error messages about missing 'any'
	rules. 

2004-07-01  heinz  <heinz@linux>

	* Netspoc.pm:
	Only warning, no error for "Virtual IP: Missing second interface"

	* Netspoc.pm: Generation and optimization of secondary rules
	now is done during local optimization.

	* netspoc: gen_secondary_rules -> mark_secondary_rules

	* Netspoc.pm: Optimization of NetSPoC code itself:
	- new global hash %ref2obj which maps a network object
	  (a reference) to itself. This is used to convert a hash key of a
	  reference back to the ortiginal reference. This simplifies code for
	  global optimization and for finding PIX object-groups and chains
	  of iptables.
	- Removed useless attribut dst_network.
	- Don't calculate attributes for static command repeatedly.
	- Don't calculate routing and static for unnumberd networks.

2004-06-30  heinz  <heinz@linux>

	* Netspoc.pm: Syntax: router:xxx is no longer supported, use
	interface:xxx.[all] instead.

	* Netspoc.pm: Better handling of disabled parts of topology.

	* Netspoc.pm: Internally, an 'any' or 'every' object is always
	linked with a network.

2004-06-29  heinz  <heinz@linux>

	* Netspoc.pm: Fix: static NAT entry was missing for outside NAT
	
2004-06-28  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Syntax: Pathrestriction must be bound to managed
	interface only.

	* Netspoc.pm: Don't handle interface specially in
	find_active_routes_and_statics.

	* Netspoc.pm: Changed code of global optimization to have similar
	structure as local optimization.

2004-06-27  Heinz Knutzen  <hk@home>

	* Netspoc.pm: local optimization for intf_rules, i.e. destination
	is interface of a managed router.

2004-06-26  Heinz Knutzen  <hk@home>

	* netspoc: Added local_optimization.

	* Netspoc.pm: Enhanced local optimization.

2004-06-22  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Fixed a bug in local optimization: a locally deleted
	rule must not vanish at other routers.

2004-06-21  Heinz Knutzen  <hk@home>

	* Netspoc.pm: Result of auto interface must not be unnumbered or
	short interface. 

	* Netspoc.pm: Each router gets a local optimization of all rules
	which are distributed to this router.

2004-06-17  Heinz Knutzen  <hk@home>

	* Netspoc.pm: New: Chains for iptables, similar to PIX
	object-groups.

	* Netspoc.pm: Bug fix: the finishing 'deny any any' rule must
	still be inserted at the end of an ACL.

2004-06-16  Heinz Knutzen  <hk@home>

	* netspoc: removed calls to order_any_rules, repair_deny_influence.

	* Netspoc.pm: Cleaned up handling of any rules: Code for any
	rules is now inserted at top of ACLs, directly behind deny
	rules. This usually gives better performance, because any rules
	match many packets.

2004-06-15  Heinz Knutzen  <hk@home>

	* netspoc: Function check_any_rules replaces convert_any_rules.

	* Netspoc.pm: Changed handling of 'any' rules. 
	No automatically inserted deny rules any longer.
	Instead, any rules are checked if global rule semantics and router
	semantics are equivalent.

2004-06-11  Heinz Knutzen  <hk@home>

	* language.html: Added documentation for Virtual IP.

2004-05-11  heinz  <heinz@linux>

	* Netspoc.pm: Better secondary optimiziation if path has loops.

2004-05-06  heinz  <heinz@linux>

	* Netspoc.pm: New test, that hosts and Interfaces don't have
	overlapping IP addresses. 

2004-05-03  heinz  <heinz@linux>

	* Netspoc.pm: Changed order of operation during optimization, to
	get better results with managed interfaces.

	* Netspoc.pm: path_first_interfaces now behaves correctly, when
	src and dst are the same router or network.

2004-04-19  heinz  <heinz@linux>

	* Netspoc.pm: Corrected handling of any:[local] when used in
	conjunction with auto: interfaces.

	* Netspoc.pm: Attribut 'static_manual' no longer supported.

2004-04-16  heinz  <heinz@linux>

	* Netspoc.pm: PIX: added missing "interface" keyword in
	access-group.

	* Netspoc.pm: PIX static/nat/global: now works in both directions.

2004-04-06  heinz  <heinz@linux>

	* Netspoc.pm: New syntax "any:[local]". 
	If src/dst is a managed interface, this may be used as dst/src and
	names the security domain which is attached to this interface.

2004-04-05  Heinz Knutzen  <hk@home>

	* Netspoc.pm: any any rules may be used now, if no additional
	'auto any rules' need to be inserted.

2004-03-25  Heinz Knutzen  <hk@home>

	* Netspoc.pm: better internal representation of hardware
	interfaces. 
	
2004-03-15  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	- error_atline + syntax_err with multiple arguments.
	- Syntax of routers: arbitrary order of attributes.

2004-03-01  heinz  <heinz@linux>

	* Netspoc.pm: object-groups ready.

	* Netspoc.pm: cleaned up NAT for object-groups.

2004-02-28  Heinz Knutzen  <hk@home>

	* Netspoc.pm: object-groups for src + dst, no services.
	Problem: rules must not have 'any' object.

	* Netspoc.pm: object-groups first try.

2004-02-27  Heinz Knutzen  <hk@home>

	* index.html: + Todo list, minor changes

2004-02-25  heinz  <heinz@linux>

	* netspoc: call rules_distribution instead of collect_acls.

	* Netspoc.pm: Prepare object-groups:
	collect_acls renamed to distribute_rules,
	code generation for rules is done later, when printing ACLs of
	single routers. This allows us to generate PIX  object-groups and
	user definbed chains of iptables.

2004-02-24  Heinz Knutzen  <hk@local>

	* Netspoc.pm: eliminated "interface:ARTIFICIAL\@$net1->{name}"

2004-02-23  Heinz Knutzen  <hk@local>

	* VERSION: netspoc-2.1

2004-02-21  Heinz Knutzen  <hk@local>

	* Netspoc.pm: trailing comma allowed at end of lists

	* Netspoc.pm, language.html: + EIGRP

2004-02-18  Heinz Knutzen  <hk@local>

	* VERSION: 2.0

	* index.html: + Todo list,

	* Makefile: + Netspoc.pm

	* language.html: 
	added: NAT, pathrestriction, removed: rules

2004-02-13  Heinz Knutzen  <hk@local>

	* Netspoc.pm:
	get_auto_interfaces generalized to path_first_interfaces,

2004-02-13  Heinz Knutzen  <hk@local>

	* Netspoc.pm: More than two interfaces with same virtual IP.

2004-02-06  heinz  <heinz@linux>

	* netspoc: Don't call warn_pix_icmp by default.

2004-02-03  heinz  <heinz@linux>

	* Netspoc.pm: Abort if interface has network or broadcast address.
2004-02-02  heinz  <heinz@linux>

	* Netspoc.pm: Better optimization of secondary and reverse rules.

2004-01-29  heinz  <heinz@linux>

	* Netspoc.pm: Short interfaces may be defined at any network where
	no managed interface exists with static routing enabled.

2004-01-27  heinz  <heinz@linux>

	* Netspoc.pm Implemented check for too restrictive path
	restrictions which disable all possible paths inside a cyclic
	subgraph. 

2004-01-21  heinz  <heinz@linux>

	* Netspoc.pm: Linux: omit prefix /32

	* Netspoc.pm: Enabled optimization for rules with managed
	interfaces as destination.

	* newpolicy: set exit status correctly

2004-01-20  heinz  <heinz@linux>

	* Netspoc.pm: iptables completed

2004-01-19  heinz  <heinz@linux>

	* Netspoc.pm: Linux: add for 'ip route add' was missing.

2004-01-15  heinz  <heinz@linux>

	* Netspoc.pm: path restrictions implemented.

2004-01-14  heinz  <heinz@linux>

	* Netspoc.pm: Warning for duplicate static routes.

2004-01-08  heinz  <heinz@linux>

	* Netspoc.pm: Virtual IP must not be equal to some standard IP.

2004-01-07  heinz  <heinz@linux>

	* Netspoc.pm: Support of general cyclic subgraph, restriction to
	simple loops has gone.

2004-01-01  Heinz Knutzen  <hk@local>

	* Netspoc.pm: virtual IP-addresses for VRRP / HSRP

2003-12-30  Heinz Knutzen  <hk@local>

	* Netspoc.pm: NAT is supported at all routers, not only managed.

	* Netspoc.pm: [auto] interfaces for non-managed routers as well.

2003-12-23  Heinz Knutzen  <hk@local>

	* Netspoc.pm: Internal change: path_walk now traverses every
	router on a path, not only managed routers. Now we can bind NAT at
	any router and implement interface:router.[auto] for any router.

2003-12-17  heinz  <heinz@linux>

	* Netspoc.pm: new: interface:[managed].[auto], .[all],
	interface:[all].[all], any:[all],
	but currently not interface:[all].[auto] 

2003-12-09  heinz  <heinz@linux>

	* Netspoc.pm: NAT: code generation for PIX firewalls: 
	static,	global, nat 

2003-12-05  heinz  <heinz@linux>

	* language.html: NAT Syntax included, but documentation is still
	missing. 

	* language.html: Documentation for reroute_permit

	* Netspoc.pm: New attribute 'reroute_permit' for interfaces.

2003-12-04  heinz  <heinz@linux>

	* Netspoc.pm: Better error checking with NAT. 

2003-12-01  Heinz Knutzen  <hk@local>

	* Netspoc.pm:
	First version with NAT. Support for PIX staticis still missing.

2003-11-28  heinz  <heinz@linux>

	* Netspoc.pm: Disabled warnings about unenforceable rules.

2003-11-24  Heinz Knutzen  <hk@local>

	* Netspoc.pm: Found interesting bug in perl 5.6: if 'v1' is used
	as hash key like {v1} it is converted into a version string by
	mistake. 

2003-11-21  Heinz Knutzen  <hk@local>

	* Netspoc.pm: Optimization of reverse and normal rules.

2003-11-09  Heinz Knutzen  <hk@local>

	* Netspoc.pm: iptables: deny any any added

2003-11-06  Heinz Knutzen  <hk@local>

	* Netspoc.pm: Code for OSPF is now generated machine independent.

2003-11-03  Heinz Knutzen  <hk@local>

	* Netspoc.pm: New function order_any_rules

2003-11-02  Heinz Knutzen  <hk@local>

	* Netspoc.pm: Code for answer packets at stateless packet filters
	isn't generated on the fly any longer, but we use reverse rules
	internally.

2003-10-29  Heinz Knutzen  <hk@local>

	* Netspoc.pm: Introduced tcp services with 'established' flag
	internally. 

2003-10-23  Heinz Knutzen  <hk@local>

	* Netspoc.pm: Code changes ins prepartion of generating linux
	iptables code. Code for secondary packet filters isn't generated
	on the fly any longer, but we use now secondary rules internally.

2003-10-06  Heinz Knutzen  <hk@local>

	* Netspoc.pm: Implemented code generation for linux iproute

2003-09-29  Heinz Knutzen  <hk@local>

	* Netspoc.pm: New variable %router_info describes properties of
	different router models.

	* Netspoc.pm:
	When expanding a router to its interfaces, unnumbered interfaces are
	left out now.

2003-08-27  heinz  <heinz@linux>

	* Netspoc.pm: An attribute 'description' has been added to policies.
	A description is marked with 'description ='; the value is read until
	end of line is reached. A description is ignored by default.
	If the global variable "store_description"
	is set, descriptions are stored internally. This may be useful,
	when the Netspoc module is called from a reporting tool.

2003-08-26  heinz  <heinz@linux>

	* Netspoc.pm: additional code for supporting OSPF fully:
	permit ospf <network> <network> for an interface where OSPF is
	allowed 

2003-08-11  heinz  <heinz@linux>

	* Netspoc.pm:
	New attribute 'file' contains filename, from which the element was
	read: router, network, any, every, group, service, servicegroups,
	policy, rule.

	* Netspoc.pm: show_read_statistics:  statistic for policies

	* Netspoc.pm, netspoc.pod: $allow_toplevel_rules = [0|1|'warn']
	Allow rules at toplevel or only as part of policies.

	* Netspoc.pm:
	Secondary filter: ACLs for return packets are always generated, even
	for ICMP.

2003-08-10  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	Fixed some subtle bugs in optimization of automatically generated
	'any' rules with attached deny_networks. Only managed devices with
	multiple interfaces were affected. 
	See 2nd policy in examples/auto_any_deny. 

2003-08-03  Heinz Knutzen  <hk@home>

	* VERSION, NEWS.html: netspoc-1.7

	* TODO: nested loops + path restrictions

	* Netspoc.pm: Refined last bug fix for secondary packet filters.

2003-08-01  Heinz Knutzen  <hk@home>

	* Netspoc.pm:
	A bug was fixed. ACLs for secondary packet filter were too permissive
	for rules having an interface of a full packet filter as source or destination.

2003-07-27  Heinz Knutzen  <hk@home>

	* index.html: Source: netspoc -> Netspoc.pm

	* index.html: NEWS -> NEWS.html

	* NEWS.html: New file.

2003-07-25  heinz  <heinz@home>

	* VERSION: netspoc-1.6

	* index.html: added News, removed Description, Homepage

	* Netspoc.pm: Fixed bugs in path marking of loops

	* language.html: Better overview for policies

	* Netspoc.pm:
	Now error messages are always tagged with "Error:" or "Syntax error:"

	* Netspoc.pm: Correctected number of argumnets when calling setpath_obj

2003-07-24  heinz  <heinz@home>

	* Makefile: addedd INSTALL file.

	* INSTALL: New file.

	* language.html: Added description and syntax of policies.
	Corrected syntax of network and service groups

2003-05-26  Heinz Knutzen  <heinz@netspoc>

	* newpolicy: new default path /home/diamonds

2003-05-23  Heinz Knutzen  <heinz@netspoc>

	* Netspoc.pm: introduced new syntax "policy" for grouping an
	naming rules.

2003-05-14  Heinz Knutzen  <heinz@netspoc>

	* Netspoc.pm: Warning message "unenforceable" isn't printed
	multiple times any longer for the same rule.

2003-05-12  Heinz Knutzen  <heinz@netspoc>

	* netspoc: now use "use lib $FindBin::Bin" to find Netspoc.pm at
	the same place where the netspoc executable is installed.

	* Netspoc.pm:
	For stateless cisco routers the source port isn't checked any
	longer for established tcp connections.

2003-05-08  Heinz Knutzen  <heinz@netspoc>

	* Netspoc.pm: splitted function read_data into read_file + read_netspoc

2003-05-07  Heinz Knutzen  <heinz@netspoc>

	* netspoc: Made a single perl module Netspoc.pm from most content
	of the netspoc program. Only the main program remains in file netspoc.

2003-05-06  Heinz Knutzen  <hk@home>

	* netspoc: bug fixed:
	"Exiting subroutine via next at /usr/local/bin/netspoc line 482"

2003-05-02  Heinz Knutzen  <hk@home>

	* netspoc: Simplified tagging for paths from src to dst inside of loops.

2003-02-27  Heinz Knutzen  <hk@home>

	* Released: netspoc-1.5

	* netspoc: Always generate duplicate routing entries in loops.

2003-02-26  Heinz Knutzen  <hk@home>

	* language.html: updated

2003-02-18  Heinz Knutzen  <hk@home>

	* netspoc: $auto_default_route may only be activated if no
	network 0.0.0.0 exists. 

2003-02-16  Heinz Knutzen  <hk@home>

	* netspoc: Warning if different interfaces have identical IP
	addresses. 

2003-02-15  Heinz Knutzen  <hk@home>

	* netspoc: New attribute 'routing' for interfaces of managed routers.
	Possible value is currently only 'OSPF'.
	When given, this disables generation of static routes for this
	interface and adds access-list entries to permit IP packets to
	addresses 224.0.0.5 and 224.0.0.6 from any for this interface.

	* netspoc: attribute 'routing_manual' of routers is replaced by
	attribute 'routing' of interfaces.

2003-02-14  Heinz Knutzen  <hk@home>

	* netspoc: auto_default_route is only done, if at least
	two routing entries can be replaced by a default route.

2003-01-30  Heinz Knutzen  <hk@home>

	* netspoc: New option $auto_default_route to optimize the number
	of routing entries per router. 
	For each router find the hop, where the largest number of routing
	entries points to and replace them with a single default route. 

2002-12-11  Heinz Knutzen  <hk@home>

	* netspoc: Implemented "secondary packet filters".
	In a given topology we may have chains of managed packet filters
	on the path from src to dst. Each packet filter is a "full packet
	filter" by default, which does full filtering for each rule 
	again and again.
	A secondary packet filter has simpler rules for	permitted traffic
	which gets further filtering by a full packet filter. In this
	case it allows any ip packets from src network to dst network.   
	A secondary packet filter is declared by the attribute
	"managed = secondary". This may be useful if a router has not
	enough memory for storing a complete set of filter rules.

2002-12-10  Heinz Knutzen  <hk@home>

	* netspoc: CVS working files: ^.# -> ^\.#

	* netspoc: new attribute for routers: routing_manual

2002-12-05  Heinz Knutzen  <hk@home>

	* netspoc: Topology allows simple loops now. Loops may not be
	nested and may not touch each other. Still some caveats with loops;
	see TODO.

	* newpolicy:
	Check for updated and checked in working directory now uses "update -d"

2002-11-13  Heinz Knutzen  <hk@home>

	* netspoc: Bug fix.  
	If there were only rules allowing traffic from src to dst, but no
	rules for traffic back from dst to dsrc, then no routing entries
	from dst to src were generated. This wasn't correct, since traffic
	back to src may be allowed implicitly by stateful packet filters.

2002-08-28  Heinz Knutzen  <hk@home>

	* netspoc.pod, netspoc: variable $strict_subnets now may have values
	0, 'warn' or 1. If set to 'warn', netspoc warns about undeclared
	subnet relations.

2002-07-24  Heinz Knutzen  <hk@home>

	* netspoc:
	NetSPoC didn't complain if an 'any' object was linked to an unknown
	router object.

2002-07-23  Heinz Knutzen  <hk@home>

	* Released netspoc-1.4

	* expamles: added auto-any-deny

2002-07-21  Heinz Knutzen  <hk@home>
	
	* VERSION: netspoc-1.4

2002-07-20  Heinz Knutzen  <hk@home>

	* netspoc:
	Fixed bug in optimization: deny_networks from rules with auto_any
	objects were never been deleted, even if traffic was explicitly
	allowed by another rule. This bug was introduced in version 1.1.

2002-07-12  Heinz Knutzen  <hk@home>

	* netspoc: Fixed small bug in order_ranges. This bug was
	introduced in version 1.3.

2002-07-11  Heinz Knutzen  <hk@home>

	* VERSION: netspoc-1.3

	* language.html: Added syntax for source port ranges

	* netspoc:
	No special handling for source ports at stateless IOS routers any
	longer. Answer packets for udp and tcp are allowed to any port.

2002-07-09  Heinz Knutzen  <hk@home>

	* netspoc: Handling of src port in services

2002-07-04  Heinz Knutzen  <hk@home>

	* Released netspoc-1.2
	
	* Examples added
	
2002-06-13  Heinz Knutzen  <hk@home>

	* 'any_dst_group' optimization only for stateful devices

2002-06-11  Heinz Knutzen  <hk@home>

	* Better comments in generated code

2002-05-02  Heinz Knutzen  <hk@home>

	* Support for stateless IOS.
	Warning: Switched names for router models:
	Old: 'IOS' was IOS router with Firewall Feature Set
	New: 'IOS' is normal IOS router, 'IOS_FW' is IOS router with FFS

	* Routing to unnumbered networks now works

	* Unnumbered network must be connected to at most two interfaces

	* Less errors messages, if network for interface is missing

2002-04-29  Heinz Knutzen  <hk@home>

	* Automatic protection of managed interfaces is ready.
	Using new attribute if_code

2002-04-25  Heinz Knutzen  <hk@home>

	* Script newpolicy:
	- calling cvs directly without a shell to prevent problems with quotes
	  in message texts
	- fixed bug in setting home directory

	* First try of automatic protection of IOS router interfaces

	* Bug fix: hosts shouldn't be allowed in unnumbered networks
	
	* Deleted rules now have a reference to the rule which caused 
	the deletion. This eases debugging.

2002-04-07  Heinz Knutzen  <hk@home>

	* Released netspoc-1.1
	
2002-04-02  Heinz Knutzen  <hk@home>

	* Optimization of sub-ranges even better

2002-04-02  Heinz Knutzen  <hk@home>

	* Optimization replaces ranges of hosts with matching user defined
	ranges

	* Optimization finds all sub-ranges

2002-04-01  Heinz Knutzen  <hk@home>

	* Hosts with multiple ip addresses are represented as groups
	internally.

	* Fixed bug in handling of attribute 'subnet_of'

2002-03-27  Heinz Knutzen  <hk@home>

	* Better handling of disabled network objects

	* No longer duplicate code for 'any' -> dst rules

2002-03-26  Heinz Knutzen  <hk@home>

	* Fixed bug in auto_any optimization

	* Better auto_any optimization

2002-03-25  Heinz Knutzen  <hk@home>

	* Fixed bug in convert_any_dst_rule: premature loop exit

2002-03-24  Heinz Knutzen  <hk@home>

	* check_deny_influence -> repair_deny_influence

	* permit 'any' -> 'any' rules are rejected

2002-03-21  Heinz Knutzen  <hk@home>

	* Fixed bug when finding unused groups

	* Unused servicegroups are found as well

	* Better context for syntax errors.

2002-03-19  Heinz Knutzen  <hk@home>

	* Optimization: new handling of 'any' objects, duplicate permit
	any rules aren't generated any longer.

	* Show version info in verbose mode

	* New options: warn_unused_groups, strict_subnets

2002-03-16  Heinz Knutzen  <hk@home>

	* Sub-networks must be declared using 
	new attributes for networks: 'route_hint' and 'subnet_of'

	* Repaired a bug with pix security levels: all interfaces except
	inside and outside got level 1.

	* Better error checking & reporting with security levels

2002-03-12  Heinz Knutzen  <hk@home>

	* Gives warning for unused groups

2002-03-11  Heinz Knutzen  <hk@home>

	* Released netspoc-1.0
