compiler for PF does not need to generate protocol match "proto {tcp
udp icmp}" when service object used in the NAT rule is "any". The
reason this was done this way is lost in the mist of time; it's been
like this since very early versions of fwbuilder.
should use "(interface)" syntax to the right of "->" in NAT rules.
This now works for all interfaces, including those that have ip
addresses in fwbuilder configuration, when interface object appears in
"Translated Source" in a nat rule. When firewall object appears in
"Translated Source", it gets replaced with a set of its interfaces
which also get translated into "-> (interface)".
single object negation in "Inbound Interface" and "Outbound
Interface" columns in compiler for iptables.
* NATCompiler_pf.cpp (compile): see #2456 Added support for single
object negation in "Interface" rule element of PF NAT rules. Now
compiler can produce PF commands such as "nat on ! em0 ... " (for
PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)
* Compiler.cpp (singleObjectNegation::processNext): moved rule
processor that processes single object negation in any rule
element to the base class Compiler.
branch, running tests. Making sure rules that have firewall
object in ODst and interface columnblank end up with rdr command
without "on interface" clause as before.
sure we print "ifconfig" commands for mtu and other parameters for
all interfaces, including those with no ip addresses and bridge
ports (unnumbered interfaces used to be skipped before)
support for configuring static routes on BSD". Implemented support
for simple static routing rules. ECMP and routing via interface
(routing to directly reachable subnets) are not
supported. Generated script preserves static routing entries that
existed before and attempts to recover in case of error. Needs
testing.
nat rules syntax has changed in OpenBSD 4.7. Nat and rdr rules in
4.7 should be implemented using action "match" and keywords
"nat-to" and "rdr-to"
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction):
fixes#1414: use "match" action for tagging. Policy rules
with action Tag should use pf action "match" instead of "pass"
if version is 4.6 or later.
some flags for the "non-default" rule options for PF"
* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getPolicyRuleOptions):
fixed#1364 "add synproxy and other missing pf rule options to the
rule options tooltip"
New feature: incremental VLAN interface management for OpenBSD and
FreeBSD. When user adds or removes VLAN subinterface in fwbuilder
GUI, geenrated script executes appropriate ifconfig commands to
add or remove corresponding vlan pseudo-interface on the firewall
machine.
fixes#1210 "syntax error in PF rule - "modulate state" is
required". Per bug reported in the mailing list (and according to
the pf.conf manual), pf.conf requires "keep state", "modulate
state" or "synproxy"if any of the stateful tracking options are
used in the rule. These include "max", "no-sync", "pflow",
"sloppy", "source-track" and others.
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes#1087
* CompilerDriver_ipt_run.cpp (CompilerDriver_ipt::run): Refs #869
making sure non-english comments appear correctly in the single
rule compile output and generated configuration files and scripts.
