onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 02:37:16 +01:00
Code Issues Releases Wiki Activity

Added release notes for v4.0.2 to

Browse Source 
the package. fixes #1515
This commit is contained in:
Vadim Kurland 2010-06-15 02:49:35 +00:00
parent 6502d09f78
commit 3bbffffa54
4 changed files with 657 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2986
#define BUILD_NUM 2987

3
doc/ChangeLog
View File

@ -1,5 +1,8 @@
2010-06-14 Vadim Kurland <vadim@vk.crocodile.org>
* release_notes_4.0.2.html: Added release notes for v4.0.2 to
the package. fixes #1515
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed SF bug
3015641 "imported REJECT rule changed during compile". Importer of
iptables rules did not handle properly parameters of the REJECT

347
src/res/help/en_US/release_notes_4.0.1.html Normal file
View File

@ -0,0 +1,347 @@
<h1>Firewall Builder 4.0.1 Release Notes</h1>
<p>
This release comes with fixes several minor bugs in the GUI and
other components, improves policy importer for iptables and
introduces support for HP ProCurve ACLs.
</p>
<a name="gui"></a>
<h2>Changes in the GUI</h2>
<ul>
<li>
<p>fixed #1443 GUI crashes compiling file opened read-only. If a
file that was added to RCS was opened read-only and then any
firewall object in it compiled, the GUI crashed trying to update
"last_compiled" timestamp.</p>
</li>
<li>
<p>fixed #1444 compile error on FreeBSD-Current
Compiler issues error "/usr/include/utmp.h:2:2: error: #error
&lt;utmp.h&gt; has been replaced by &lt;utmpx.h&gt;"
</p>
</li>
<li>
<p>
fixes #1447: context menu item "Edit" associated with rule set
object in the tree opens it in the rule set view and the editor
panel. Menu item "Open" only opens it in the rule set view. This
eliminates strange behavior where it would open in the rule set
view on first click on "Edit" and then in the editor in the
second click on "Edit". Double click used to work the same, the
first double click opened in rule set view, the second in the
editor. Now double click always opens in rule set view and the
editor which is more consistent with the behavior for other
object types.
</p>
</li>
<li>
<p>
fixed #1339 "Logging" icon appears looking the same as "Rule
options" icon on Mac
</p>
</li>
<li>
<p>
fixed #1460 "when "show icons in rules" is turned off, there is no
way to tell when logging is turned on and non-default options are
present in a rule".
</p>
</li>
<li>
<p>
fixed #1464, SourceForge bug 3004274: "Branch rule set object
displays improperly". Branch rule set attribute was not loaded
properly into Branch action dialog for rules of PF firewalls.
</p>
</li>
<li>
<p>
fixed #1462 "if you do a bulk install, and then want to do a
single install, bulk mode is selected"
</p>
</li>
<li>
<p>
fixed #1461 Need obvious button to add new rule to the empty
rule set. Added button with a "+" icon right above the rule set
view, this button adds new rule to the set.
</p>
</li>
<li>
<p>
fixes #1457 "tooltips for rule options seem to be
broken". Tooltip always includes the line telling of the rule is
"stateful" or "stateless", the function almost never returns
empty string now. Added missing hashlimit parameters to the
rule options tooltip. Some of the more rarely used hashlimit
parameters are still not included in the tooltip. Improved
tooltip formatting using html table.
</p>
</li>
<li>
<p>
fixed #1463 Always show branch rule set name with action "Branch"
</p>
</li>
<li>
<p>
fixed #1469 some actions should always display argument, even
when text labels for actions and directions is off
</p>
</li>
<li>
<p>
applied patch by Vadim Jukov &lt;persgray@gmail.com&gt;,
maintainer of OpenBSD port. Patch fixes compile issues on
OpenBSD
</p>
</li>
<li>
<p>
fixed #1468 Open new object in the editor after it has been
created.
</p>
</li>
<li>
<p>
see #1466 Implemented instrumentation that should help us
improve user experience. Will track few things that new users do
(or don't do) and report as a combination of boolean flags at
the end of the GUI session. Reporting things such as if user
ever looked at the "Getting Started" tutorial, if they created
their first firewall object, modified any rules, tried to
compile, install or import existing rule set. Information passed
in the report is strictly a set of boolean flags, it is not
identifiable and does not reveal what firewall platform they are
using or anything about their objects and rules. List of flags
is listed in the module UserWorkflow.h
</p>
</li>
<li>
<p>
fixed #1478 always use included antlr run-time library. Because
of the fixes I've made in CircularQueue?.hpp in 2008 for 64 bit
systems, we should always link with antlr run-time that is
included with fwbuilder code tree rather than attempt to use the
one that might be installed with the OS.
</p>
</li>
<li>
<p>
fixed #1481 when user changes platform in the firewall object,
its version should change too.
</p>
</li>
<li>
<p>
added mechanism for one-time announcements that can be pulled
from the web site when version check server says there is
one. Announcement is shown only once. To do this, I store time
stamp when it was shown in settings using hash of the
announcement url.
</p>
</li>
<li>
<p>
refs #1483 If program detects change in CustomService object and
the change just adds code string for a platform that was not in
the object in the user's data file, the change is accepted
without showing the dialog.
</p>
</li>
<li>
<p>
fixes #1484 "paste below" function pastes rules out of order
</p>
</li>
</ul>
<a name="importer"></a>
<h2>Changes in the policy importer</h2>
<ul>
<li>
<p>
See #1450 and SourceForge ticket 3000809: iptables parser can
now import "mark" module matches with hexadecimal parameters and
"length" module matches. Also added check in the importer for
broken iptables-save files where rules for any table are not
terminated with "COMMIT".
</p>
</li>
<li>
<p>
fixes #1453 "iptables importer should parse multiport module
parameter --ports". Module multuport with parameter "--ports"
matches either source or destination port numbers. Importer
creates two tcp (or udp) service objects to implement this
match.
</p>
</li>
<li>
<p>
see #1451 "policy importer should support some popular iptables
modules". Added support for module "recent" and rules that match
standard ip/icmp/udp/tcp protocols and at the same time module
"mark", "length", "limit" or "recent". Rules like these are
translated into a combination of a branching rule and additional
rule in a branch rule set that implements module match.
</p>
</li>
</ul>
<a name="standard_obj"></a>
<h2>Changes in the Standard Objects library</h2>
<ul>
<li>
<p>
fixed #1483 "missing code in the custom service object
ESTABLISHED for ProCurve"
</p>
</li>
</ul>
<a name="libfwbuilder"></a>
<h2>Changes in libfwbuilder library</h2>
<ul>
<li>
<p>
fixed #1485 "dns name object is recognized
as an empty group when it appears in shared rule set"
</p>
</li>
</ul>
<a name="procurve"></a>
<h2>Support for HP ProCurve</h2>
<ul>
<li>
<p>
Added experimental support for HP ProCurve "intelligent"
switches (L3). Code is based on the policy compiler for Cisco
IOS extended access lists. Differences include ';' character for
comments, different naming convention for Vlan interfaces ("VLAN
2", with a space), requirement to unbind an ACL from interface
before it can be cleared, different syntax for vlan ACLs and
ACLs bound to switch ports.
</p>
</li>
<li>
<p>
At the time of the release of v4.0.1, we were able to test code
generation for ProCurve ACL but policy installer remains
untested for the lack of hardware. We are going to work on the
installer over the next few months to make sure it works in the
next point version release of fwbuilder.
</p>
</li>
</ul>
<a name="iptables"></a>
<h2>Changes in support for iptables</h2>
<ul>
<li>
<p>
fixed #1455 Function update_addresses() (host OS linux24 and
derivatives) uses both ip and ifconfig. Should stick with
/sbin/ip so the script works on systems where ifconfig is not
installed.
</p>
</li>
<li>
<p>
fixed #1458 Should permit interface name "br-lan" for bridge
interface on Linux. Bridge interfaces on Linux can have any
name, including those with "-". OpenWRT creates bridge interface
with the name "br-lan" by default.
</p>
</li>
</ul>
<a name="dd-wrt"></a>
<h2>Changes in support for DD-WRT</h2>
<ul>
<li>
<p>
fixes #1448 "need to commit nvram changes on DD-WRT".
</p>
</li>
</ul>
<a name="ios"></a>
<h2>Changes in support for for Cisco IOS ACL</h2>
<ul>
<li>
<p>
Compiler uses new configlet "safety_net" to add temporary ACL for
the "safety net" install method.
</p>
</li>
<li>
<p>
restored function of the "comment the code" in the "Script
options" of the firewall settings dialog for Cisco IOS ACL and
ProCurve ACL. When this checkbox is off, comments are not
added to generated script.
</p>
</li>
</ul>

306
src/res/help/en_US/release_notes_4.0.2.html Normal file
View File

@ -0,0 +1,306 @@
<h1>Firewall Builder 4.0.2 Release Notes</h1>
<p>
This release comes with fixes several minor bugs in the GUI and
other components and improves policy importer for iptables.
</p>
<a name="gui"></a>
<h2>Changes in the GUI</h2>
<ul>
<li>
<p>
Added release notes v4.0.1 and v4.0.2 to the package.
</p>
</li>
<li>
<p>
using separate settings object and file in the .ini format to
store instance uuid to ensure uuid persistence on windows across
upgrades done with complete deinstall. Fixes #1497
</p>
</li>
<li>
<p>added user work flow progress flags for an attempted install and
first successful install. Both flags are Boolean true/false
indicating that the even occurred. We do not track and do not
report any information about the firewall, platform, rules
etc. These flags will be used to determine how many users
abandon the program before even trying to run install for real
because it is too complicated or the UI is not good
enough. Fixes #1495
</p>
</li>
<li>
<p>added user work flow flag indicating that ssh/scp have been
configured in the Preferences dialog. The flag is Boolean and
registers only the fact that something was entered in ssh and
scp fields. Actual path and programs used are not registered and
reported. Fixes #1496
</p>
</li>
<li>
<p>
fixed #1489 removed unnecessary debugging messages.
</p>
</li>
<li>
<p>
fixed #1490 compile problem with Qt 4.7
</p>
</li>
<li>
<p>
fixed #1501 call qsrand(seed) to seed random generator before
generating new UUID
</p>
</li>
<li>
<p>
applied patch from slif@bellsouth.net to fix compiler
warnings. Patch applied partially since not all fixes were
appropriate. fixes #1510
</p>
</li>
<li>
<p>
fixed SF bug #3013532 "file chooser dialog for import policy
does not show all files".
</p>
</li>
<li>
<p>
fixed SF bug #3013855 "various fixes for run_tests". Applied
patch suggested by Michael J. Slifcak (with changes).
</p>
</li>
<li>
<p>
fixed SF bug #3013735 "invalid pixmap properties during
make". Fixed uic warnings.
</p>
</li>
<li>
<p>
fixed #1499 "GroupObjectDialogTest.cpp does not compile with gcc
3.4.6" and SF bug 3015307. There is no reason to make method
insertObject() protected which caused problems (and hacky
workaround) in the unit test.
</p>
</li>
</ul>
<a name="importer"></a>
<h2>Changes in the policy importer</h2>
<ul>
<li>
<p>
fixed #1511, SF bug 3012953: iptables import parse error
icmp_type any
</p>
</li>
<li>
<p>
fixed sourceforge bug 3012953 name of UDP and TCP objects
created during import should follow the same pattern and not
include "0-0" for the source ports if they are equal to zero.
</p>
</li>
<li>
<p>
policy importer for iptables can now parse numerical log levels.
</p>
</li>
<li>
<p>
bug 3012953: iptables importer sometimes does not recognize rule
with " ESTABLISHED,RELATED ". Parser properly processed iptables
rules with state "RELATED,ESTABLISHED" but not when states were
in the opposite order.
</p>
</li>
<li>
<p>
fixed #1513 iptables importer should check default policy in
standard chains. Importer creates rules at the bottom of the
policy rule set to reproduce default policies in the built-in
chains INPUT,OUTPUT,FORWARD. These rules are added only when
default policy in these chains is set to ACCEPT because
generated iptables script always sets default policies to DROP.
Support for this in the mangle table is limited so far, only
default policies in PREROUTING, OUTPUT and POSTROUTING can be
implemented. Rules created for the commands that set default
policy in chains FORWARD and INPUT will generate commands in
PREROUTING chain instead. We will try to address this in the
future if there is sufficient demand.
</p>
</li>
<li>
<p>
fixed #1516 policy importer for iptables should not use
automatic ESTABLISHED rule. (See also SF bug 3012953). Policy
importer for iptables always creates explicit rule to match
ESTABLISHED,RELATED to make sure it goes into the same chain as
the original rule. Also in the same fix, importer creates branch
for iptables rules that match both regular service and state
ESTABLISHED,RELATED. The service is matched in the main policy
rule set, while ESTABLISHED,RELATED state is matched in the
branch.
</p>
</li>
<li>
<p>
fixed SF bug 3015641 "imported REJECT rule changed during
compile". Importer of iptables rules did not handle properly
parameters of the REJECT target.
</p>
</li>
</ul>
<a name="libfwbuilder"></a>
<h2>Changes in libfwbuilder library</h2>
<ul>
<li>
<p>
Added framework for creating data files with predictable and
repeatable object IDs and references. This is used in unit tests
so we can create data files that can be compared.
</p>
</li>
<li>
<p>
fixed missing class variable initialization in class CustomService
</p>
</li>
</ul>
<a name="iptables"></a>
<h2>Changes in support for iptables</h2>
<ul>
<li>
<p>
fixed #1506 SF bug #3011516: generated iptables script tries to
update ip addresses of unnumbered interface.
</p>
</li>
<li>
<p>
</p>
</li>
</ul>
<a name="pf"></a>
<h2>Support for PF</h2>
<ul>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
</ul>
<a name="ios"></a>
<h2>Changes in support for for Cisco IOS ACL</h2>
<ul>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
</ul>
<a name="pix"></a>
<h2>Changes in support for for Cisco ASA (PIX)</h2>
<ul>
<li>
<p>
fixed #1491 fwb_pix crashes trying to compile simple rule. Compiler
should check validity of the object used as network zone of an interface.
</p>
</li>
</ul>
<a name="procurve"></a>
<h2>Support for HP ProCurve</h2>
<ul>
<li>
<p>
</p>
</li>
<li>
<p>
</p>
</li>
</ul>