Changes

{{$NEXT}}

3.039     2025-01-10 09:38:22+01:00 Europe/Berlin

 - Added more named ports for Cisco IOS:
   drip, onep-plain, onep-tls, time

3.038     2024-11-22 13:41:49+01:00 Europe/Berlin

 - Fix issue recognize prompt during login.
   New ASA Software does not send leading CR character.
   Removed required CR character for login prompt.

3.037     2024-11-11 16:12:54+01:00 Europe/Berlin

 - Config option 'basedir' is mandatory now.
   Change your directory structure to this values before upgrading:
   - netspocdir      => ${basedir}/policies,
   - lockfiledir     => ${basedir}/lock
   - historydir      => ${basedir}/history
   - statusdir       => ${basedir}/status
   - aaa_credentials => ${basedir}/credentials
  - Migrated Perl script newpolicy.pl to shell script newpolicy.sh.

3.036     2024-10-30 17:20:21+01:00 Europe/Berlin

 - Fixed command 'newpolicy.pl' to be compatible with new config
   option 'basedir'.
 - Option 'basedir' will become mandatory in next version of this software
   and not in this version as announced previously.

3.035     2024-10-28 12:06:44+01:00 Europe/Berlin

 - Added new config option 'basedir'. If this option is given,
   default values are used for these old options:
   - netspocdir      => ${basedir}/policies,
   - lockfiledir     => ${basedir}/lock
   - historydir      => ${basedir}/history
   - statusdir       => ${basedir}/status
   - aaa_credentials => ${basedir}/credentials
   These old options will be no longer valid in next version of this software.
 - Changed format of status file for command 'missing-approve' to JSON.
 - Fixed URL for committing changes to device of type PAN-OS.
   Previously the URL looked like
   https://address/api/?key=xxx&https://address/api/?key=xxx&type=commit

3.034     2024-10-04 10:26:33+02:00 Europe/Berlin

 - For device of type ASA that has interface not known by Netspoc,
   ACL of this interface is no longer removed during approve.
 - Migrated program 'approve.pl' from Perl to Go as 'do-approve'.
 - Migrated program 'missing-approve' from shell script to Go.
 - Program 'diamonds' is no longer a manually installed executable
   with SUID bit set, but a shell script calling 'sudo'.
 - Program 'newpolicy' no longer calls 'suid-newpolicy' but 'sudo-newpolicy'
   which is a shell script calling 'sudo'.
 - Modified error message for failed login.
   Option '--brief' of command 'do-approve' now only suppresses
   messages about failed logins, but not other timeouts.
 - Error message 'Authentication failed' is now also shown for ASA.
   Previously a timeout message was shown.

3.033     2024-09-06 10:31:32+02:00 Europe/Berlin

 - Migrated program 'drc3.pl' from Perl to Go.
   It is named 'drc' now.
   'drc3.pl' is still available as symbolic link to 'drc'.
   Programs 'drc-asa', 'drc-ios', 'drc-linux', 'drc-nsx', 'drc-pan-os'
   have been removed.
 - When running 'diamonds compare' or 'drc3.pl -C' and device has changed,
   then changes are written to file '*.cmp'.
 - Migrated program 'get-netspoc-approve-conf' from Perl to Go.
 - This warning from ASA is ignored now: 'crypto map entry will be incomplete'.

3.032     2024-08-14 11:55:20+02:00 Europe/Berlin

 - Fixed sorting of rules for NSX where rule references group
 - Fixed compare of rules for NSX where rule references external
   group, that is not known by Netspoc.
 - Fixed check of raw file for NSX:
   - Name of group must start with "Netspoc",
     but must not start with "Netspoc-g<NUM>".
   - Name of service must start with "Netspoc-raw".
 - Migrated approve for Linux from Perl to Go.

3.031     2024-07-25 11:31:12+02:00 Europe/Berlin

 - Fixed wrong seq num "0" in added "tunnel-group-map" from Netspoc.

3.030     2024-07-23 13:12:24+02:00 Europe/Berlin

 - Fixed unwanted "exit" from conf mode.
 - Fixed: Logfiles *.login, *.change are saved now,
   if policy is approved multiple times.
 - More warnings are ignored:
   - For "crypto map", "no crypto map":
     "The crypto map entry is incomplete!"
   - For "no access-list":
     "Same object-group is used more than once in one config line"

3.029     2024-06-12 11:17:04+02:00 Europe/Berlin

 - Fixed seq num for inserted commands of crypto map.
 - Changed default group for "crypto [dynamic-]map set pfs"
   from "group2" to "group14".
 - Use git instead of cvs.

3.028     2024-05-08 11:03:25+02:00 Europe/Berlin

 - Fixed: Allow new option 'netspoc_git' in config file in preparation
   of next release.

3.027     2024-04-22 17:39:54+02:00 Europe/Berlin

 - Command 'newpolicy' shows content of compile.log only on error.
 - Allow new option 'netspoc_git' in config file in preparation
   of next release.

3.026     2024-03-25 11:14:48+01:00 Europe/Berlin

 - Fix for IOS: Prevent moving of permit rule for device access
   if a deny rule is added or removed.

3.025     2024-03-18 17:17:01+01:00 Europe/Berlin

 - Fix: No longer ignore shutdown interface of ASA device.

3.024     2024-03-04 16:23:30+01:00 Europe/Berlin

 - Fixed panic when comparing ASA webvpn command.
   Device with webvpn but without any certificate-group-map
   is handled correctly now.

3.023     2024-03-01 10:59:06+01:00 Europe/Berlin

 - Bug fix: Change ACL at shutdown interface of IOS device.

3.022     2024-02-19 14:37:42+01:00 Europe/Berlin

 - Still referenced ACLs must not be deleted even if name has -DRC- .
 - Referenced but unknown ACL is silently ignored for IOS.
 - Again allow comment '#' as header of JSON for NSX.

3.021     2024-02-14 18:01:57+01:00 Europe/Berlin

 - Migrated approve for IOS from Perl to Go.
   - Order of rules inside blocks of successive permit/deny rules
     is ignored during compare.
   - Unused ACLs with name ending in -DRC-<NUM> are removed.
   - Changed timeout of reload command from 5 to 2 minutes.
   - Option '-u' of command drc3.pl is implemented for all device types.
 - Removed support for Cisco NX-OS.
 - Removed support for EZVPN at Cisco devices.
 - "tunnel-group-map default-group" referencing predefined
   tunnel-group like DefaultL2LGroup is no longer silently ignored on device,
   but removed instead.
 - No longer ignore duplicate access-group command in raw files,
   but abort instead.
 - No longer ignore header in JSON config for NSX.

3.020     2023-11-13 11:21:42+01:00 Europe/Berlin

 - Fixed issues in code for ASA:
   - Order of two adjacent ACL lines accidentally was swapped if first
     line was moved and second one was inserted.
   - An inserted or deleted ACL entry accidentally used a decremented
     line number if a leading ACL entry was already moved.
   - Timeout message is ignored if device is unreachable and
     'diamonds compare' was called with parameter '--brief'.

3.019     2023-10-26 15:16:42+02:00 Europe/Berlin

 - Use sequence number from 65535 downwards for crypto map dynamic in
   code for ASA. This matches the behaviour of the previous Perl version.

3.018     2023-10-23 15:38:38+02:00 Europe/Berlin

 - Bug fix in migrated code for ASA.
   The bug could occur in this situation:
   Two rules on device reference the same object-group A. These rules
   are changed to reference two different object-groups B and C.  In
   this case the original object-group A may get changed to values of
   both B and C.

3.017     2023-10-18 13:42:00+02:00 Europe/Berlin

 - Migrated approve for ASA from Perl to Go.
   In first step the new code is only used for selected device names,
   given in drc3.pl.
 - Files in "raw/ipv6/" are ignored now.

3.016     2023-08-28 16:27:32+02:00 Europe/Berlin

 - Mixed IPv4 and IPv6 configuration is allowed now in files directory "raw/".
   Files in "raw/ipv6/" should be merged into files in "raw/".
   Directory "raw/ipv6/" will be ignored from next version of this program.

3.015     2023-08-09 12:27:33+02:00 Europe/Berlin

 - Meta information about device is no longer read from header of
   generated code, but from new file DEVICE.info

3.014     2023-08-03 11:48:59+02:00 Europe/Berlin

 - Better check for out of sync from unexpected text in banner.

3.013     2023-08-02 11:30:50+02:00 Europe/Berlin

 - Ignore config option server_ip_list for NSX and PAN-OS.

3.012     2023-08-01 11:34:11+02:00 Europe/Berlin

 - New config option server_ip_list, an optional space separated list
   of IP addresses.
   Each address in server_ip_list is compared with value of
   Policy_distribution_point in code file from Netspoc, to decide
   if the policy distribution point will be used as a proxy server
   to reach a destination.
   If server_ip_list is not set, no proxy server is used or will
   be configured in .ssh/config .
 - Prevent finding of prompt in banner message.

3.011     2023-03-16 13:40:13+01:00 Europe/Berlin

 - PAN-OS: Check high availability state before approving a device.
   If HA is enabled, device is only touched if state is
   - "active"         for mode "Active-Passive"
   - "active-primary" for mode "Active-Active"
 - NSX, PAN-OS: Sent and received packets for login are logged to
   file DEVICENAME.login .

3.010     2023-01-11 11:24:17+01:00 Europe/Berlin

 - NSX: Support attribute "tag" in rules for logging purpose.

3.009     2022-12-20 13:53:26+01:00 Europe/Berlin

 - Fixed NSX: ICMPTypeServiceEntry and IPProtocolServiceEntry

3.008     2022-12-16 11:27:11+01:00 Europe/Berlin

 - Added support for NSX Tier 0 & Tier 1 gateways

3.007     2022-12-06 13:18:46+01:00 Europe/Berlin

 - Fix PAN-OS: No longer show 'device changed' on unchanged device.

3.006     2022-12-05 17:59:18+01:00 Europe/Berlin

 - Fix: Encode query parameters when requesting API key.

3.005     2022-12-02 11:33:42+01:00 Europe/Berlin

 - No longer use fixed API key when accessing a PAN-OS device.
   Now the password has to be stored in file .aaa_credentials.
   Username and password are used to request a new API key on each run.
   The PAN-OS device should be configured to automatically delete
   unused API keys after some time.
 - Fixed reusing of groups for PAN-OS.
   If a group on device was changed to match new elements from Netspoc,
   the same group was used, where the original elements were needed.
 - Fixed command 'newpolicy.pl' to use previous POLICY file if server
   was set up freshly.
 - Changed package structure to enable support for other device types.

3.004     2022-10-13 16:14:32+02:00 Europe/Berlin

 - Added support to merge IPv4 and IPv6 code for single VSYS of PAN-OS.
 - Fixed exit status of script 'start-jobs' if run in non verbose mode.
 - Script 'delete-old-policies' now also cleans up 'lockfiledir'.

3.003     2022-05-13 11:59:16+02:00 Europe/Berlin

 - Added support for service-groups of Palo-Alto devices.

3.002     2022-04-07 14:37:52+02:00 Europe/Berlin

 - Added support for commands "anyconnect-custom xxxx"

3.001     2022-03-15 15:35:37+01:00 Europe/Berlin

 - Ignore sequence numbers shown in ACL lines since IOS-XE 16.12.
 - Command 'newpolicy' no longer runs 'cvs edit'.

3.000     2021-12-20 14:16:55+01:00 Europe/Berlin

 - Added support for Palo-Alto devices.
   - The device is reached by one of its IP addresses that are given in the
     config generated by Netspoc.
   - The IPs are taken from netspoc topology:
     1. router with attribute 'management_instance'
     2. router with attributes 'management_instance' and 'backup_of'.
   - The API-key must be generated manually and
     put together with corresponding user name into file .aaa_credentals
   - The device config is read from candidate config.
   - A Vsys is only touched if its <display-name> contains string "netspoc".
   - After changes have been applied they are committed automatically.
   - The Netspoc config may be extended by a raw file:
   - XML syntax
     - <config> with rules, addresses, address-groups, services
     - without <shared>
     - is allowed to reference objects from <shared> on device
     - must not reference objects in generated config from Netspoc
     - rules from raw are prepended to rules from Netspoc per default
     - rules with attribute </APPEND> are appended instead
   - Device config is logged in file DEVICENAME.config
   - Sent commands and response from device is logged in
     file DEVICENAME.change

2.022     2021-12-03 16:02:33+01:00 Europe/Berlin

 - Fix: Show warning if ASA has interface that isn't known in Netspoc.

v2.021    2021-10-15 12:49:02+02:00 Europe/Berlin

 - Ignore manually configured 'isakmp keepalive' options at
   'tunnel-group ipsec-attributes'.

2.020     2020-12-18 13:01:44+01:00 Europe/Berlin

 - Fixed merging of crypto map from raw.
   This failed if number of seq nums from raw was smaller than from Netspoc.
 - Fixed again: Sanity check for access-list bound to more than one interface.
   Also ignore interface that is shutdown or has no IP.

2.019     2020-11-05 12:43:19+01:00 Europe/Berlin

 - Fixed again: Sanity check for access-list bound to more than one interface.
   Also ignore shutdown interfaces of unmanaged VRF.

2.018     2020-11-04 11:34:13+01:00 Europe/Berlin

 - Fix: Sanity check for access-list bound to more than one interface
   is only done for managed interfaces of device having multiple VRFs.

2.017     2020-11-02 12:42:58+01:00 Europe/Berlin

 - Crypto map entries from raw file are prepended
   to entries from Netspoc now.
 - Fix: More then one crypto map entry can be added in raw file now.

2.016     2020-08-13 15:08:13+02:00 Europe/Berlin

 - Attributes of crypto map can be changed and added from raw files now.
   Changing attribute 'match address' appends or prepends ACL lines.
 - If a reload banner is preceeded by more than 3 empty lines,
   these are ignored altogether now.
 - Fixed new config option "compress_at".

2.015     2020-04-23 16:38:12+02:00 Europe/Berlin

 - Compress files even with hardlinks, using option -f of bzip2.
 - New config option "compress_at" with default value 4
   in config file (/usr/local)/etc/netspoc-approve
 - Allow not only 3 but 4 empty lines before reload banner.
 - Strip CR at end of lines read from device.
   This is useful when applying drc3.pl directly to output of "sh run".

2.014     2019-11-01 11:57:04+01:00 Europe/Berlin

 - Double quoted string is now accepted for map-value of ldap attribute-map.

2.013     2019-10-16 15:18:04+02:00 Europe/Berlin

 - Added new named port names: aol, cifs, citrix-ica, secureid-udp, vxlan
 - Changed definition for port name: dnsix from 90 to 195

2.012     2019-08-14 11:14:42+02:00 Europe/Berlin

 - Fix: 'no anyconnect-custom perapp'
 - Cron: Compress old files after 4 days.

2.011     2019-06-07 12:47:36+02:00 Europe/Berlin

 - Fix: newpolicy must only read, not write file LOCK.

2.010     2019-06-07 11:49:28+02:00 Europe/Berlin

 - Changed and simplified newpolicy and newpolicy.pl
   - Better interaction with Netspoc-API:
      Moved POLICYDB/next/failed to POLICYDB/failed
   - No longer write current username to lock file.
   - File compile.log is no longer locked, POLICYDB/LOCK is checked instead.
   - Better handling of edge cases:
     - No error message on first run with empty POLICYDB.
     - Detect if netspoc fails fast.
   - newpolicy.pl can run in taint mode again.
   - Only untaint path if run as other user.
   - Added automatic tests.

2.009       2019-04-18 12:05:28+02:00 Europe/Berlin

 - Fixed exit code of command "diamonds compare".
   Change in Crypto-Filter ACL wasn't reported, if interface ACL was unchanged.
   Change in IPv6 routing wasn't reported, IPv4 routing was unchanged.

2.008       2019-04-10 15:24:09+02:00 Europe/Berlin

 - Fix: Find correct aaa-server on device by name.
 - authentication-server-group is transferred or changed now.

2.007       2019-04-09 15:12:24+02:00 Europe/Berlin

 - Fix: Use correct name of group policy in map-value of ldap attribute-map.
 - Fix: No longer remove spare ip local pool and group policy,
        if referenced by new config.

2.006       2019-04-08 15:22:59+02:00 Europe/Berlin

 - Fix: Use existing aaa-server on device.

2.005       2019-03-18 16:43:38+01:00 Europe/Berlin

 - ASA: Added support for 'ldap attribute-map'.

2.004       2019-02-12 18:20:59+01:00 Europe/Berlin

 - Adapted version parsing to IOS 16.x.x having more than one dot.

2.003       2018-10-24 17:44:42+02:00 Europe/Berlin

 - Check ACL usage in raw files:
   - ACL must only be referenced once,
   - must not reference unknown ACL.

2.002       2018-08-14 11:27:07+02:00 Europe/Berlin

 - IP addresses of interfaces are compared now between device and Netspoc.
   A warning is printed if differences are found.
   No distinction is made between secondary and primary IP addresses.
   If interface has 'negotiated' address in Netspoc then IP at device
   is ignored.
 - No longer show warning about unused default tunnel-group-map
   referencing built-in tunnel-group on device.

2.001       2018-07-18 15:08:47+02:00 Europe/Berlin

 - Added support for attribute 'extended-key-usage' for ASA.
 - ASA configuration with active 'global access-list' is rejected now,
   because Netspoc generated ACLs are modified in unknown way.
 - For ASA, ACL with 'any' is accepted only from device and from raw file
   for IPv4-only config.
 - Command 'newpolicy' now ignores file '.cvsrc' to better handle
   empty directories in diff.

2.000       2018-03-12 11:28:02+01:00 Europe/Berlin

 - When switching from incoming to outgoing ACL or vice versa,
   unused ACL is now removed only after new ACL is defined.
 - Newpolicy now recognizes changes in new directories.
 - Fixed reload banner handling to deal with both one or two prompts.
 - Added IPv6 commands for ASA (Version >= 9): Routing, ACL, icmp6.

1.123     2018-02-13 16:49:04+01:00 Europe/Berlin

 - Fixed parsing of reload banner.
   Read extra prompt if banner is shown behind output.
 - Fixed missing error message for 'ip inspect' check of model "IOS, FW".
 - Added check for unbound ACL in raw file.

1.122     2017-12-11 11:33:00+01:00 Europe/Berlin

 - Fixed loading of config files. Previous version aborted
   accidentally if the same option was found in multiple config files.
   Config files are no longer merged now.
   Only first found file is loaded from this list:
   $HOME/.netspoc-approve
   /usr/local/etc/netspoc-approve
   /etc/netspoc-approve

1.121     2017-12-08 15:27:30+01:00 Europe/Berlin

 - Fixed pattern to recognize pending reload in 1 minute.
 - Use "reload in 5" to extend pending reload.

1.120     2017-12-05 15:55:25+01:00 Europe/Berlin

 - Commands "approve-all" and "compare-all" now suppress all output
   for devices with timeout.

1.119     2017-11-13 17:27:45+01:00 Europe/Berlin

 - Ignore harmless warnings from device:
   - For IKEv1, L2L tunnel-groups that have names which are not an IP ...
   - Same object-group is used more than once.
 - Fixed shown diff for iptables.
 - Increased test coverage from 84,5 to 98%.

1.118     2017-07-18 16:03:16+02:00 Europe/Berlin

 - Fixed approve and compare for Linux.

1.117     2017-07-17 14:18:51+02:00 Europe/Berlin

 - Tunnel groups "DefaultL2LGroup", "DefaultRAGroup", "DefaultWEBVPNGroup"
   are now all recognized and are never removed from config.
 - Better handle tunnel group with IP as name,
   that also is referenced by tunnel-group-map.
 - Command 'compare-all' now calls 'diamonds compare' with
   option '--brief' to suppress timeout messages.
 - No longer do semantic comparison of iptables.
   Iptables configs are compared textually now.
   If any difference is found, the whole new config is printed.
 - Model 'ACE' isn't supported any longer.

1.116     2017-05-11 12:20:13+02:00 Europe/Berlin

 - Removed unneeded check for crypto with unmanaged VRF.

1.115     2017-05-08 17:51:21+02:00 Europe/Berlin

 - Fixed wrong warnings from previous version
   about "Interface ... on device is not known by Netspoc".

1.114     2017-05-03 16:55:25+02:00 Europe/Berlin

 - Fixed initial transfer of ASA command 'tunnel-group-map default <name>'.
 - Fixed handling of DfltGrpPolicy.
 - Sub command 'description' of ASA object-groups is ignored now.
 - Ignore unknown attributes in such ACLs, that are never compared.
 - Named static routes are supported now for IOS; name is ignored.
 - Removed support for unused config options
   'try_telnet', 'passwdpath', 'newpolicy_hooks'.

1.113     2016-12-06 14:49:21+01:00 Europe/Berlin

 - Accept keywords 'point-to-point' and 'multipoint' in interface command.

1.112     2016-09-05 09:31:28+02:00 Europe/Berlin

 - Fixed wrong status from 'diamonds compare' with Cisco routers.
   It always showed changed ACLs, even if all ACLs had been unchanged.
   This bug had been introduced in version 1.111.

1.111     2016-06-15 14:54:32+02:00 Europe/Berlin

 - Crypto filter ACLs are transferred incrementally for IOS routers now.
 - Dropped support for model PIX.

1.110     2016-03-11 14:58:17+01:00 Europe/Berlin

 - Automatically confirm "Overwrite the previous NVRAM configuration",
   after a preceding IOS update.

1.109     2016-03-10 16:06:13+01:00 Europe/Berlin

 - Show TIMEOUT error in history file, even if approve is called
   with option '--brief'.

1.108     2016-03-04 14:51:13+01:00 Europe/Berlin

 - Support for NAT commands (nat, global, static) has been dropped
   completely, even for Cisco PIX.
   These commands are no longer touched by Netspoc-Approve.

1.107     2016-01-28 14:54:19+01:00 Europe/Berlin

 - Use "clear configure crypto dynamic-map NAME" to remove dynamic
   crypto map.

1.106     2015-12-02 16:41:11+01:00 Europe/Berlin

 - Accept interface with 'ip address dhcp' as negotiated interface.

1.105     2015-10-12 14:36:40+02:00 Europe/Berlin

 - NAT commands (nat, global, static) are ignored now for all versions
   of ASA, even for ASA with version < 8.4.
 - Handling of NAT at old PIX devices is currently unchanged,
   but support for these devices will be dropped at end of year.

1.104     2015-10-02 14:52:24+02:00 Europe/Berlin

 - An ACL line that permits ESP or AH (protocol 50 or 51)
   is no longer moved inside an existing ACL.
   A new ACL is created instead.
   This is done to prevent accidental lock out from device,
   if the device is accessed via an ESP/AH tunnel.
 - Twice NAT command of ASA >= 8.4 isn't touched by approve any longer.
   Twice NAT and the corresponding "network object" commands
   have to be configured manually now.

1.103     2015-09-22 16:54:12+02:00 Europe/Berlin

 - No longer show annoying 'PROCESS/Change' messages when approving
   Cisco firewall.
 - Prepare for upcoming change of Netspoc to two pass compiler:
   - Ignore any file with extension in pxx/code, not only *.raw files.
   - newpolicy.pl
     - adds symlink pxx+1/code/.prev pointing to pxx/code
     - removes pxx/code/*.{config,rules} after pxx+1/code has successfully
       been generated.

1.102     2015-07-22 17:06:42+02:00 Europe/Berlin

 - Added port names msrpc, ripv6, connectedapps-plain, connectedapps-tls
   for Cisco ISR-4321 router.

1.101     2015-07-22 09:56:51+02:00 Europe/Berlin

 - Fix: Enter conf mode before removing crypto filter ACL.

1.100     2015-07-20 16:28:08+02:00 Europe/Berlin

 - Fixed bug where tunnel-group with IP address occosionally was
   tried to define twice.
   This occured if a corresponding tunnel-group-map was added.

1.099     2015-06-29 11:40:47+02:00 Europe/Berlin

 - Crypto commands for IOS are assumed to be configured mostly manually now.
   This allows to process devices with IKEv2 configuration.
   - Existence is checked for
     - 'crypto map ipsec-isakmp' and
     - 'crypto ipsec client'.
   - Filter ACLs of crypto maps are compared and updated.
   - All other crypto commands and their sub commands are ignored and
     left unchanged.

1.098     2015-06-18 15:34:19+02:00 Europe/Berlin

 - Fixed processing of tunnel-group-map referencing tunnel-group with IP.

1.097     2015-06-09 14:49:17+02:00 Europe/Berlin

 - Added support for dynamic crypto map.
   - Name must be unique, e.g. certificate name.
   - Only a single sequence number can be used per dynamic-map.
 - Added support for ikev2 ipsec-proposal.
 - Automatically add and remove transform-sets.
 - Ignore pre-shared key in crypto map. Must be set manually.
 - Split logfile from 'Expect' (*.tel) into 3 separate files
   *.login, *.config, *.change.
 - Move existing logfile from Expect before writing new one.

1.096     2015-01-22 10:59:03+01:00 Europe/Berlin

 - Approve won't check interfaces if generated config
   contains no interfaces at all. This occurs for device with
   "managed=routing_only".
 - Added support of 'remark' lines in ACLs of Cisco IOS.

1.095     2014-11-26 18:17:44+01:00 Europe/Berlin

 - Fixed warning, when reading empty status file.

1.094     2014-11-26 17:51:59+01:00 Europe/Berlin

 - Added support for named TCP port 'ctiqbe' = 2748 for cisco devices.

1.093     2014-11-21 11:18:23+01:00 Europe/Berlin

 - Added workaround for bug #100342 in Expect.pm when parsing ouput of
   Linux commands.
 - Added new config option "keep_history".
   This option determines, after how many days old history files are removed.
   The value must be >= 30. Default value is 365.
 - Script "delete-old-policies" now also removes old files
   in "historydir" and "statusdir".

1.092     2014-06-26 14:32:25 Europe/Berlin

 - Fixed approve for ASA: Only warn on spare ACL that was
   generated by netspoc.
 - Fixed handling of reload banner by fixing parsing of Cisco prompt.

1.091     2014-06-23 10:16:24 Europe/Berlin

 - Fixed approve for NX-OS again.
   Ignore valid output of 'verify' command.

1.090     2014-06-16 14:02:18 Europe/Berlin

 - Fixed approve for NX-OS.  If 'verify' of configuration session
   fails, the 'abort' command is called now.
 - Fixed 'newpolicy' to recognize removed file.

1.089     2014-05-20 10:21:48 Europe/Berlin

 - Ignore escape sequence following the prompt, when login to Linux device.

1.088     2014-05-19 18:22:47 Europe/Berlin

 - Fixed call to "cvs" in newpolicy:
   Must use relative pathname in server mode.

1.087     2014-05-19 17:32:22 Europe/Berlin

 - The command 'newpolicy' copies the newest version of netspoc files
   from repository to a dedicated directory. From there the generated
   code is deployed to devices.

   Until now, only a single user was allowed to invoke 'newpolicy'.
   Others had to wait until the commd had finished. This was annoying
   if code generation from a large configuration needed some time.

   Now, 'newpolicy' can be invoked by multiple users in parallel.
   First it checks, if there are any changes to the repository.
   - If there are no changes, it exits.
   - Otherwise it checks if these changes are already processes by some
     running instance. Then ist shows the output of that instance.
   - If new changes are pending, it first waits for a running instance
     to terminate. After that, a new instance is started
     to process the pending changes.

   'newpolicy' now calls a C-wrapper that in turn calls 'newpolicy.pl'.
   The C-wrapper has been renamed from 'newpolicy' to 'suid-newpolicy'.

   Existing installations should move 'newpolicy' to 'suid-newpolicy'
   before installing this release.

 - 'newpolicy.pl' no longer checks if the 'netspoc' directory of the
   calling user is up-to-date. Only the repository is checked now.

 - 'newpolicy.pl' exits with status code '2', if another instance is
   already running. It no longer prints a message in this case.

 - Minor fixes to suid-newpolicy.

1.086     2014-04-14 15:13:58 Europe/Berlin

 - New config options in /etc/netspoc-approve:
   - timeout: Timeout during session. Default: 60s
   - login_timeout: Timout when establishing session. Default: 3s
   - try_telnet: Try telnet if device isn't reachable by ssh. (Default: unset)
 - Removed option '-t' of command drc3.pl (default was 500s).

1.085     2014-04-11 12:03:25 Europe/Berlin

 - Ping command isn't used any longer to perform reachability check.
   A shorter timeout of 5s ist used now to prevent long wait at initial
   connection.
   This allows us to use the OpenSSH "ProxyCommand" for SSH connections.

1.084     2014-02-10 17:27:23 Europe/Berlin

 - Fixed login to Linux devices.
   No longer misinterpret '#' in banner as prompt.

1.083     2014-02-06 11:47:36 Europe/Berlin

 - Second and third transform name is optional now
   in command 'crypto ipsec transform-set' of IOS.
 - Added support for "remark" in ACL of NX-OS.
 - Added option '-u <username>' to drc3.pl to set the username for
   logon to remote device.
 - Fixed command 'missing-approve' to no longer print duplicate router
   names if both, netspoc file and raw file have changed.

1.082     2014-01-08 11:45:36 Europe/Berlin

 - Added support for attributes 'dns' and 'unidirectional' in twice NAT.
 - Unnumbered interface with name 'mpls' from Netspoc is silently ignored,
   if device has some interface with 'ip mpls'.

1.081     2013-12-10 12:00:17 Europe/Berlin

 - Added support for 'destination static' in twice NAT of ASA 8.4.

1.080     2013-10-29 16:08:25 Europe/Berlin

 - Added support for keyword [APPEND] in raw files.
   This changes the behaviour of ACLs defined after this keyword.
   The ACL is no longer prepended, but it is appended to a Netspoc
   generated ACL. It is appended at the end of an ACL,
   but before the trailing "deny any any" entry from Netspoc.

 - Fixed missing-approve: If last compare found diff and if it occured
   later than last approve, then show missing-approve.

1.079     2013-08-23 14:07:33 Europe/Berlin

 - Urgent bug fix: Startup config with static routes for linux
   is written correctly again. Was broken since version 1.066.
 - Domain-name is ignored now when comparing
   name of device and router name from netspoc.
 - Secondary ip address of NX-OS can be parsed now but is still ignored.

1.078     2013-08-14 16:21:51 Europe/Berlin

 - Command "approve-all" no longer operates on all devices
   but only on devices shown by missing-approve.
 - Command "missing-approve" checks for newer compare status
   even if last approve failed.

1.077     2013-07-02 16:05:18 Europe/Berlin

 - Added protocol name 'icmp6' => 58 for Cisco devices.
 - New format for aaa_credentials file
   - multiple lines
   - three fields, separated by whitespace: pattern username password
   - If current device name matches pattern, then return username and password.
   - Pattern may contain shell wildcard characters
     * matches zero or more characters
     ? matches one character
   - First matching line is taken.
   Old format is still supported
   - Only a single line with two fields: "username password"
   - is equivalent to "* username password"

1.076     2013-06-20 16:11:19 Europe/Berlin

 - Bug fix: Again read hostname from prompt for PIX.

1.075     2013-06-20 14:30:54 Europe/Berlin

 - Bug fix: Again read hostname from prompt for IOS.

1.074     2013-06-20 12:51:38 Europe/Berlin

 - No longer abort on 'names' command.
   Instead the 'name' command must not be used.
 - Support keyword 'any4' in ACL (for ASA 9.x).
 - Support keyword 'destination' in service-object of ASA.
 - Support 'remark' in ACL.
 - Handle ACL lines that only differ in 'log' keyword.
 - Ignore time-range when parsing ACL.
 - Use 'show hostname' and no longer the prompt
   to get hostname of Cisco device.
 - Command "newpolicy" now ignores files matching '.#*' in working copy.

1.073     2013-05-14 17:43:57 Europe/Berlin

 - Ignore subcommand of "crypto ipsec transform-set"
   e.g. "mode tunnel" or "mode transport".
 - An ACL or object-group which is unrelated to ACLs generated by Netspoc
   isn't removed any longer on ASA and PIX.
   (This is already the default for IOS and NX-OS.)

1.072     2013-04-24 17:28:55 Europe/Berlin

 - Parallel jobs started by commands 'approve-all' and 'compare-all':
   - New optional parameter to change the number of jobs:
     approve-all [parallel-count]
   - Default value has been increased from 10 to 40
 - New config file option "newpolicy_hooks".
   The value is a list of paths to be called
   after successful run of newpolicy.
 - Added newpolicy.pl from Netspoc project.
 - Added scripts "compress-policies" and "delete-old-policies"
   to be called from cron.
 - Changed all hard coded paths for netspocdir to be read
   from config file (/usr/local)/etc/netspoc-approve
 - New commandline tool 'get-netspoc-approve-conf' to read option
   from config file.

1.071     2013-03-27 14:42:57 Europe/Berlin

- Fixed bug when comparing crypto ACLs and crypto filter ACLs.
  Result was unreliable, because inverted masks from IOS had been used.
- Fallback to username / password if only password was given for telnet.
- Better error messages if telnet or ssh failed.

1.070     2013-03-25 14:10:33 Europe/Berlin

- Support named loglevel in ACL of ASA/PIX

1.069     2013-03-12 14:51:45 Europe/Berlin

- New command "approve-all"
  Approves all devices shown by missing-approve.
  "diamonds approve" is called with new option --brief
   - message "Reachability test failed" is suppressed
   - final "FAILED" message is suppressed
   - error and warning messages get prefix "device-name:"
- Ignore subcommands of "crypto map ipv6" as well.

1.068     2013-03-07 17:34:18 Europe/Berlin

Bug fix realease

- Fixed ACL approve for IOS.
  Some IOS commands need to be called with "do" prefix,
  because conf mode is entered earlier since support for NX-OS was added.

1.067     2013-03-06 15:50:23 Europe/Berlin

- Ignore that VRFs of a device which are not found
  in the config file from Netspoc.
  This allows to have mixed managed and unmanaged VRFs on the same device.
- Ignore "crypto map ipv6" when parsing IOS config.

1.066     2013-02-19 14:29:54 Europe/Berlin

- Added support for NX-OS of Cisco Nexus devices.
  - ACL, object-groups, routing, VRF
  - Uses "configure session"
  - Interface mgmt0 is located in management VRF by default
- Added support for object-groups of IOS.
- No longer re-read config of IOS after "write mem".
  It is sufficient to check the '[OK]' message.
- missing-approve now compares .raw files if available.
- Code cleanup.

1.065     2012-12-05 17:11:54 Europe/Berlin

- Fixed bug when generating object-group name in ACL.
  There was a bug,
  - when transferring an ACL
  - which references two object-groups,
  - where both object-groups are already available on device
  - and the netspoc name of dst object is identical to
    the device name of the src object.
  In this case a wrong ACL was transferred: src and dst were swapped.

1.064     2012-12-04 14:17:15 Europe/Berlin

- Bugfix: Don't enter configuration mode when comparing.

1.063     2012-11-30 13:50:07 Europe/Berlin

- Bugfix: Standard ACL can't be changed incrementally on ASA

1.062     2012-11-29 17:14:56 Europe/Berlin

- Fixed missing device initialization for IOS,
  logging synchronous, etc.

1.061     2012-11-29 10:51:47 Europe/Berlin

- ACLs are changed incrementally for ASA and PIX now.
  Added test cases especially for ACL with object-group.
- Parser aborts now on unknown command in raw file.
- Simplified merging of route and static commands from raw file.
  Entries are simply prepended to Netspoc data now.
- Added test cases for merging raw files.
- Fixed bug in handling outgoing crypto filter ACL.
- Check for extra tables from Netspoc when comparing Linux.
- No longer issue "no fixup protocol smtp 25" when confuguring PIX.

1.060     2012-11-12 12:36:47 Europe/Berlin

- No longer compare running with startup config
  This doesn't matter, because we check the result of "write mem" anyway.

1.059     2012-09-20 13:13:54 Europe/Berlin

- Change interpreter back to perl (was env perl)

1.058     2012-09-19 17:29:57 Europe/Berlin

- Clean %ENV for taint mode.

1.057     2012-09-17 10:33:35 Europe/Berlin

- ASA: Support interface with ip address pppoe|dhcp
- Check for unsupported tunnel-group <ip> general-attributes
- Changed names in configuration file to lower case.
- Added SUID support script "diamonds".

1.056     2012-09-12 09:10:36 Europe/Berlin

- Fixed console logging directory

1.055     2012-09-11 17:50:38 Europe/Berlin

- Added 'vrf forwarding' as equivalent to 'ip vrf forwarding'
- Reading of password file has been generalized
  Simple name,password tuples are allowed now
  in addition to cisco works format.
- Configuration file is read from
  /etc/netspoc-approve
  /usr/local/etc/netspoc-approve
  ~/.netspoc-approve
- Added support of object-group service, protocol for ASA
- No longer compare 'crypto isakmp identity' for IOS
- Removed rex3

1.054     2012-03-07 15:39:45 Europe/Berlin

- Command 'compare-all' no longer uses raw files.

1.053     2012-03-07 11:34:03 Europe/Berlin

- Command 'missing-approve' no longer shows names of raw files.
- Raw files are expected at code/xxx.raw now.
- Ignore network objects not generated by Netspoc.
- Restrict accepted line number of ASA 8.4 NAT to 1.

1.052     2012-02-13

- Fixed error while reading AAA_CREDENTIALS

1.051     2012-02-12

- Added support of changed NAT for ASA 8.4.
- Removed unused password cruft.

1.050     2012-01-23

- Fixed named port number 'sip' to 5060, 5600 was wrong
- Add support for anyconnect clients of ASA 8.4

1.049    2011-12-19

- Support ASA version 8.2- and 8.4-syntax for transform-set
  of "crypto-map"-command.

1.048    2011-12-13

- Added support for more named port numbers:
  sip => 5600, rtsp => 554