diff --git a/build_num b/build_num index bdaabae26..8fa16c2ec 100644 --- a/build_num +++ b/build_num @@ -1 +1 @@ -#define BUILD_NUM 3133 +#define BUILD_NUM 3134 diff --git a/doc/ChangeLog b/doc/ChangeLog index 61e0a8a85..8e0c3e901 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,14 @@ 2010-07-22 Vadim Kurland + * PolicyCompiler_PrintRule.cpp: added support for iptables module + "set" used to generate iptables command for rules with run-time + AddressTable objects. This module is only available in iptables + 1.4.1.1 and later, however some embedded platforms do not have it + even though they ship later versions of iptables (e.g. OpenWRT). + Use of this module is controlled by a checkbox in the iptables + "advanced" settings dialog which is off by default. This checkbox + becomes disabled when iptables version is set to < 1.4.1.1. + * newClusterDialog_create.cpp (newClusterDialog::createNewCluster): fixed #1622 "Crash when configuring cluster". The GUI used to crash if user created a cluster copying rules of one of the cluster members diff --git a/src/gui/iptAdvancedDialog.cpp b/src/gui/iptAdvancedDialog.cpp index da6dc924e..a48f6fef5 100644 --- a/src/gui/iptAdvancedDialog.cpp +++ b/src/gui/iptAdvancedDialog.cpp @@ -81,13 +81,6 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o) qDebug("%s",Resources::getTargetOptionStr( obj->getStr("host_OS"),"user_can_change_install_dir").c_str()); - if (!Resources::getTargetOptionBool( - obj->getStr("host_OS"), "user_can_change_install_dir")) - { - m_dialog->ipt_fw_dir->setEnabled(false); - //fwoptions->setStr("firewall_dir", ""); - } - //QString s = fwoptions->getStr("ipv4_6_order") data.registerOption(m_dialog->ipv4before, fwoptions, "ipv4_6_order", QStringList() << "IPv4 before IPv6" <<"ipv4_first" << "IPv6 before IPv4" << "ipv6_first"); @@ -145,6 +138,8 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o) data.registerOption(m_dialog-> actionOnReject, fwoptions,"action_on_reject", slm); + data.registerOption(m_dialog->useModuleSet, fwoptions, "use_m_set"); + data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh"); data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr"); data.registerOption(m_dialog->add_mgmt_ssh_rule_when_stoped, @@ -210,6 +205,19 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o) data.loadAll(); switchLOG_ULOG(); + if (!Resources::getTargetOptionBool( + obj->getStr("host_OS"), "user_can_change_install_dir")) + { + m_dialog->ipt_fw_dir->setEnabled(false); + //fwoptions->setStr("firewall_dir", ""); + } + + string version = obj->getStr("version"); + bool can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0); + if (!can_use_module_set) + m_dialog->useModuleSet->setChecked(false); + m_dialog->useModuleSet->setEnabled(can_use_module_set); + m_dialog->tabWidget->setCurrentIndex(0); } diff --git a/src/gui/iptadvanceddialog_q.ui b/src/gui/iptadvanceddialog_q.ui index 9e00144a8..5793074fc 100644 --- a/src/gui/iptadvanceddialog_q.ui +++ b/src/gui/iptadvanceddialog_q.ui @@ -100,11 +100,11 @@ Compiler - - + + - + @@ -220,7 +220,7 @@ - + If output file name is left blank, the file name is constructed of the firewall object name and extension ".fw" @@ -230,7 +230,7 @@ - + @@ -273,7 +273,7 @@ - + Generated script can be copied to the firewall machine under different name. If this field is left blank, the file name does not change. @@ -283,7 +283,7 @@ - + QFrame::HLine @@ -296,7 +296,7 @@ - + @@ -350,6 +350,19 @@ + + + + + 0 + 0 + + + + Accept ESTABLISHED and RELATED packets before the first rule + + + @@ -468,22 +481,16 @@ packets to IPv6 policies - - - - - 0 - 0 - - + + - Accept ESTABLISHED and RELATED packets before the first rule + Use module "set" for run-time Address Table objects (module is only available in iptables v 1.4.1.1 and later) - + QFrame::HLine @@ -496,7 +503,7 @@ packets to IPv6 policies - + @@ -536,14 +543,14 @@ packets to IPv6 policies - + Install the rule for ssh access from the management workstation when the firewall is stopped - + Qt::Vertical @@ -867,10 +874,10 @@ packets to IPv6 policies Prolog/Epilog - + 6 - + 6 @@ -1001,12 +1008,12 @@ packets to IPv6 policies Logging - - 6 - 20 + + 6 + diff --git a/src/gui/platforms.cpp b/src/gui/platforms.cpp index 02436f77d..34836dc5f 100644 --- a/src/gui/platforms.cpp +++ b/src/gui/platforms.cpp @@ -404,6 +404,7 @@ void getVersionsForPlatform(const QString &platform, std::list &res res.push_back(QStringPair("1.2.9", QObject::tr("1.2.9 to 1.2.11"))); res.push_back(QStringPair("1.3.0", QObject::tr("1.3.x"))); res.push_back(QStringPair("1.4.0", QObject::tr("1.4.0 or later"))); + res.push_back(QStringPair("1.4.1.1", QObject::tr("1.4.1.1 or later"))); res.push_back(QStringPair("1.4.3", QObject::tr("1.4.3 or later"))); } else { diff --git a/src/iptlib/OSConfigurator_linux24.cpp b/src/iptlib/OSConfigurator_linux24.cpp index 977ae73ab..03cec5ce1 100644 --- a/src/iptlib/OSConfigurator_linux24.cpp +++ b/src/iptlib/OSConfigurator_linux24.cpp @@ -76,6 +76,11 @@ OSConfigurator_linux24::OSConfigurator_linux24(FWObjectDatabase *_db, OSConfigurator(_db, fw, ipv6_policy) , os_data(fw->getStr("host_OS")) { command_wrappers = new Configlet(fw, "linux24", "run_time_wrappers"); + + FWOptions* fwopt = fw->getOptionsObject(); + string version = fw->getStr("version"); + can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0 && + fwopt->getBool("use_m_set")); } OSConfigurator_linux24::~OSConfigurator_linux24() @@ -468,7 +473,12 @@ string OSConfigurator_linux24::printRunTimeWrappers(FWObject *rule, */ bool wildcard_interface = false; - QString combined_command = addressTableWrapper(rule, command.c_str(), ipv6); + QString combined_command; + + if (can_use_module_set) + combined_command = command.c_str(); + else + combined_command = addressTableWrapper(rule, command.c_str(), ipv6); command_wrappers->clear(); command_wrappers->removeComments(); diff --git a/src/iptlib/OSConfigurator_linux24.h b/src/iptlib/OSConfigurator_linux24.h index 9c2e6739b..06bfc0015 100644 --- a/src/iptlib/OSConfigurator_linux24.h +++ b/src/iptlib/OSConfigurator_linux24.h @@ -48,7 +48,8 @@ namespace fwcompiler { OSData os_data; Configlet *command_wrappers; - + bool can_use_module_set; + std::map address_table_objects; // this vector is used to avoid duplication of virtual addresses for nat diff --git a/src/iptlib/PolicyCompiler_PrintRule.cpp b/src/iptlib/PolicyCompiler_PrintRule.cpp index 7d81777e3..cc0f4b739 100644 --- a/src/iptlib/PolicyCompiler_PrintRule.cpp +++ b/src/iptlib/PolicyCompiler_PrintRule.cpp @@ -96,13 +96,13 @@ string PolicyCompiler_ipt::PrintRule::_printSingleOptionWithNegation( ostringstream ostr; if (XMLTools::version_compare(version, "1.4.3")>=0) { - ostr << _printSingleObjectNegation(rel); + ostr << _printSingleObjectNegation(rel); ostr << option << " "; ostr << arg << " "; } else { ostr << option << " "; - ostr << _printSingleObjectNegation(rel); + ostr << _printSingleObjectNegation(rel); ostr << arg << " "; } return ostr.str(); @@ -1109,6 +1109,7 @@ string PolicyCompiler_ipt::PrintRule::_printDstService(RuleElementSrv *rel) string PolicyCompiler_ipt::PrintRule::_printSrcAddr(RuleElement *rel, Address *o) { + PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); string res; if (AddressRange::cast(o)!=NULL) { @@ -1126,11 +1127,23 @@ string PolicyCompiler_ipt::PrintRule::_printSrcAddr(RuleElement *rel, Address * return res; } + + MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); + if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME && + ipt_comp->can_use_module_set) + { + string set_match = "--set " + o->getName() + " src"; + ostringstream ostr; + ostr << "-m set " << _printSingleOptionWithNegation("", rel, set_match); + return ostr.str(); + } + return _printSingleOptionWithNegation(" -s", rel, _printAddr(o)); } string PolicyCompiler_ipt::PrintRule::_printDstAddr(RuleElement *rel, Address *o) { + PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); string res; if (AddressRange::cast(o)!=NULL) { @@ -1147,6 +1160,17 @@ string PolicyCompiler_ipt::PrintRule::_printDstAddr(RuleElement *rel, Address * return res; } + + MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); + if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME && + ipt_comp->can_use_module_set) + { + string set_match = "--set " + o->getName() + " dst"; + ostringstream ostr; + ostr << "-m set " << _printSingleOptionWithNegation("", rel, set_match); + return ostr.str(); + } + return _printSingleOptionWithNegation(" -d", rel, _printAddr(o)); } diff --git a/src/iptlib/PolicyCompiler_ipt.cpp b/src/iptlib/PolicyCompiler_ipt.cpp index dda61675e..65dd5e2c5 100644 --- a/src/iptlib/PolicyCompiler_ipt.cpp +++ b/src/iptlib/PolicyCompiler_ipt.cpp @@ -515,6 +515,11 @@ int PolicyCompiler_ipt::prolog() n++; } + string version = fw->getStr("version"); + can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0 && + fwopt->getBool("use_m_set")); + actually_used_module_set = false; + return n; } @@ -1006,12 +1011,23 @@ bool PolicyCompiler_ipt::singleItfNegation::processNext() bool PolicyCompiler_ipt::singleSrcNegation::processNext() { + PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel = rule->getSrc(); /* ! A B C ACTION */ if (srcrel->getNeg() && srcrel->size()==1) { + // We call singleSrcNegation before we replace AddressTable + // objects with MultiAddressRunTime objects + FWObject *o = FWReference::getObject(srcrel->front()); + if (AddressTable::cast(o) && AddressTable::cast(o)->isRunTime() && + ipt_comp->can_use_module_set) + { + srcrel->setNeg(false); + srcrel->setBool("single_object_negation", true); + } + Address *src = compiler->getFirstSrc(rule); // note: src can be NULL if object in this rule element is a group // or MultiAddress @@ -1029,12 +1045,23 @@ bool PolicyCompiler_ipt::singleSrcNegation::processNext() bool PolicyCompiler_ipt::singleDstNegation::processNext() { + PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementDst *dstrel = rule->getDst(); /* A ! B C ACTION */ if (dstrel->getNeg() && dstrel->size()==1) { + // We call singleSrcNegation before we replace AddressTable + // objects with MultiAddressRunTime objects + FWObject *o = FWReference::getObject(dstrel->front()); + if (AddressTable::cast(o) && AddressTable::cast(o)->isRunTime() && + ipt_comp->can_use_module_set) + { + dstrel->setNeg(false); + dstrel->setBool("single_object_negation", true); + } + Address *dst = compiler->getFirstDst(rule); if (dst!=NULL && dst->countInetAddresses(true)==1 && !compiler->complexMatch(dst, compiler->fw)) @@ -2558,7 +2585,6 @@ bool PolicyCompiler_ipt::specialCaseWithFW1::processNext() bool PolicyCompiler_ipt::specialCaseWithFWInDstAndOutbound::processNext() { - PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; Interface *itf = compiler->getFirstItf(rule); @@ -2922,7 +2948,6 @@ bool PolicyCompiler_ipt::decideOnChainIfSrcFW::processNext() * with an interface which is a bridge port. */ - RuleElementItf *itfre = rule->getItf(); Interface *rule_iface = compiler->getFirstItf(rule); if (rule_iface == NULL || rule_iface->isBridgePort()) { @@ -3022,7 +3047,6 @@ bool PolicyCompiler_ipt::decideOnChainIfDstFW::processNext() * with an interface which is a bridge port. */ - RuleElementItf *itfre = rule->getItf(); Interface *rule_iface = compiler->getFirstItf(rule); if (rule_iface == NULL || rule_iface->isBridgePort()) { @@ -3982,7 +4006,6 @@ bool PolicyCompiler_ipt::processMultiAddressObjectsInRE::processNext() return true; } - /* * iptables does not have target that would do nothing and would not * terminate processing of the packet (like NOP), so we create a new diff --git a/src/iptlib/PolicyCompiler_ipt.h b/src/iptlib/PolicyCompiler_ipt.h index cabcffa2c..1d9cb2e2b 100644 --- a/src/iptlib/PolicyCompiler_ipt.h +++ b/src/iptlib/PolicyCompiler_ipt.h @@ -66,6 +66,8 @@ protected: bool have_dynamic_interfaces; bool have_connmark; bool have_connmark_in_output; + bool can_use_module_set; + bool actually_used_module_set; std::string my_table; std::map tmp_chain_no; diff --git a/src/pflib/PolicyCompiler_pf.cpp b/src/pflib/PolicyCompiler_pf.cpp index eb2081cfb..e2d6ef45c 100644 --- a/src/pflib/PolicyCompiler_pf.cpp +++ b/src/pflib/PolicyCompiler_pf.cpp @@ -93,7 +93,11 @@ int PolicyCompiler_pf::prolog() return PolicyCompiler::prolog(); } - +/* + * this is very much like + * Compiler::swapMultiAddressObjectsInRE::processNext() except it also + * registers the table using registerTable() + */ bool PolicyCompiler_pf::swapAddressTableObjectsInRE::processNext() { PolicyCompiler_pf *pf_comp=dynamic_cast(compiler); diff --git a/src/res/help/en_US/release_notes_4.1.0.html b/src/res/help/en_US/release_notes_4.1.0.html index 41f5013f0..4579d222d 100644 --- a/src/res/help/en_US/release_notes_4.1.0.html +++ b/src/res/help/en_US/release_notes_4.1.0.html @@ -302,6 +302,40 @@

+
  • +

    + Most dialogs were adjusted to make sure they fit on the screen 1024x768 +

    +
    • + +
  • +

    + fixed #1612 "File/Open should create + new project panel". If user has some unsaved changes in the + default project panel (the one with no associated file) and then + uses File/Open menu to open another data file, the file should + open in a new project panel. +

    +
    • + +
  • +

    + fixed #1611 "File/New should create new project panel". Like + #1612, open new data file in a new project panel if current + project panel has no data file associated with it but has + unsaved changes. +

    +
    • + +
  • +

    + fixed #1622 "Crash when configuring cluster". The GUI used to + crash if user created a cluster copying rules of one of the + cluster members while that rule set was opened in the rule set + view. +

    +
    • + @@ -473,6 +507,20 @@

    +
  • +

    + Added support for iptables module "set" used to generate + iptables command for rules with run-time AddressTable + objects. This module is only available in iptables 1.4.1.1 and + later, however some embedded platforms do not have it even + though they ship later versions of iptables (e.g. OpenWRT). Use + of this module is controlled by a checkbox in the iptables + "advanced" settings dialog which is off by default. This + checkbox becomes disabled when iptables version is set to < + 1.4.1.1. +

    +
    • + diff --git a/test/ipt/objects-for-regression-tests.fwb b/test/ipt/objects-for-regression-tests.fwb index 39002c003..6473222dc 100644 --- a/test/ipt/objects-for-regression-tests.fwb +++ b/test/ipt/objects-for-regression-tests.fwb @@ -1,6 +1,6 @@ - + @@ -6671,7 +6671,7 @@ - + @@ -7947,33 +7947,35 @@ - + + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + @@ -7982,16 +7984,7 @@ - - - - - - - - - @@ -53360,6 +53353,674 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT% + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +