group and addresses table object names" is in effect. This happened if
the same user-defined group was used in multiple rules or different
rule element of the same rule. In this case generated PF table would
have several copies of the same addresses.
not work right when the same object is used in several different
groups. If the same object was a member of multiple groups and these
groups were used in the same or different rules of the same PF
firewall, compiler used all groups in all rules.
fixed bug (no number) introduced when I was working on #2667.
Setting broadcast address in the network object with netmask /31
to 255.255.255.255 broke rule shadowing algorithm.
config". Compiler for PF can now preserve names of object groups,
dynamic groups, compile-time AddressTable and compile-time DNSName
objects in the generated pf.conf file. This is optional and is
controlled by a checkbox in the firewall settings dialog.
compiler for PF does not need to generate protocol match "proto {tcp
udp icmp}" when service object used in the NAT rule is "any". The
reason this was done this way is lost in the mist of time; it's been
like this since very early versions of fwbuilder.
when user opens the firewall or any of its children objects in the
editor. This includes any rule set, interface or any other child
object.
Also moved function Interface::getParentHost() from class Interface to
class Host as static FWObject* Host::getParentHost(FWObject *o). Its
behavior is now more logical, it returns non-NULL pointer only if an
object actually has a parent that is host, firewall or cluster. Old
function Interface::getParentHost() returned non-NULL pointer even
when object was not in the proper position in the tree.
Now this function can be used to get parent host/firewall/cluster for
any child object rather than only interface.
I had to fix bunch of problems in unit tests that got uncovered because
new function behaves in a more strict way (returns NULL when there is
no parent of correct type).
should use "(interface)" syntax to the right of "->" in NAT rules.
This now works for all interfaces, including those that have ip
addresses in fwbuilder configuration, when interface object appears in
"Translated Source" in a nat rule. When firewall object appears in
"Translated Source", it gets replaced with a set of its interfaces
which also get translated into "-> (interface)".
single object negation in "Inbound Interface" and "Outbound
Interface" columns in compiler for iptables.
* NATCompiler_pf.cpp (compile): see #2456 Added support for single
object negation in "Interface" rule element of PF NAT rules. Now
compiler can produce PF commands such as "nat on ! em0 ... " (for
PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)
* Compiler.cpp (singleObjectNegation::processNext): moved rule
processor that processes single object negation in any rule
element to the base class Compiler.
When branching rule points to a rule set that has rules with Tag and
Classify options, branching should occur in mangle table even when
checkbox "create branch in mangle table" is not checked. The fix in
this change is tentative as it creates branch in chains PREROUTING,
POSTROUTING and OUTPUT. Since target CLASSIFY is only allowed in
POSTROUTING, this may create conflict. Need to test more.
compiling single rule with IPv6 destination and IPv4 gateway or
interface". Routing compiler for iptables does not support ipv6 at
this time and will issue a warning when user tries to place ipv6
address or network in a routing rule. The warning does not appear
when ipv6 address is a member of a group used in the rule. Also
see #1575.
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.
* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.
* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
branch, running tests. Making sure rules that have firewall
object in ODst and interface columnblank end up with rdr command
without "on interface" clause as before.
sure we print "ifconfig" commands for mtu and other parameters for
all interfaces, including those with no ip addresses and bridge
ports (unnumbered interfaces used to be skipped before)
