table entries in case of an error with commands adding new routing
entries was broken and left the machine with no routes at all.
Also, using mktemp to create temporary directory. If mktemp is not
available, fall back onto less secure but guaranteed to work method
where I generate randomized the name of the temporary directory using
process ID.
5.0.1". Rule with cluster interface in "Destination" should compile
into matching ip addresses assigned to the cluster interface object
and corresponding member firewall's interface object, but in v5.0.1 it
only matched member interface address. This bug triggered when
iptables version was set to 1.2.11 or greater. This was a regression
from v5.0.0
deprecated". Need to use --match-set instead of --set if iptables
version is >= 1.4.4. The fix done for #3059893 was only in the policy
compiler but needs to be done in both policy and nat compilers.
parent bridge interface. This allows us to correctly match which
bridge the packet comes through in configurations using wildcard
bridge port interfaces. For example, when br0 and br1 have "vnet+"
bridge port interface, iptables can still correctly match which bridge
the packet went through using "-o br0" or "-o br1" clause. This can be
useful in installations with many bridged interfaces that get created
and destroyed dynamically, e.g. with virtual machines. Note that the
"-i br0" / "-o br0" clause is only added when there is more than one
bridge interface and bridge port name ends with a wild card symbol "+"
group and addresses table object names" is in effect. This happened if
the same user-defined group was used in multiple rules or different
rule element of the same rule. In this case generated PF table would
have several copies of the same addresses.
not work right when the same object is used in several different
groups. If the same object was a member of multiple groups and these
groups were used in the same or different rules of the same PF
firewall, compiler used all groups in all rules.
fixed bug (no number) introduced when I was working on #2667.
Setting broadcast address in the network object with netmask /31
to 255.255.255.255 broke rule shadowing algorithm.
iptables script uses "which" to check if all utilities it uses exist
on the machine. We should also check if "which" itself exists and
issue meaningful error message if not.
direct broadcast addresses. When interface of the firewall is
configured with netmask /31, policy compilers should not treat the
second address of this "subnet" as a broadcast.
iptables INPUT chain". Compiler was choosing chain INPUT with
direction "outbound" for rules that had old broadcast address in
"Source", this lead to invalid iptables configuration with chain INPUT
and "-o eth0" interface match clause.
fixed bug in the rule processor that replaces AddressRange object that
represents single address with an IPv4 object. Also eliminated code
redundancy.
br0.5)". Currently fwbuilder can not generate script to configure vlan
subinterfaces of bridge interfaces, however if user did not request
this configuration script to be generated, compiler should not abort
when it encounters this combination.
config". Compiler for PF can now preserve names of object groups,
dynamic groups, compile-time AddressTable and compile-time DNSName
objects in the generated pf.conf file. This is optional and is
controlled by a checkbox in the firewall settings dialog.
compiler for PF does not need to generate protocol match "proto {tcp
udp icmp}" when service object used in the NAT rule is "any". The
reason this was done this way is lost in the mist of time; it's been
like this since very early versions of fwbuilder.
when user opens the firewall or any of its children objects in the
editor. This includes any rule set, interface or any other child
object.
Also moved function Interface::getParentHost() from class Interface to
class Host as static FWObject* Host::getParentHost(FWObject *o). Its
behavior is now more logical, it returns non-NULL pointer only if an
object actually has a parent that is host, firewall or cluster. Old
function Interface::getParentHost() returned non-NULL pointer even
when object was not in the proper position in the tree.
Now this function can be used to get parent host/firewall/cluster for
any child object rather than only interface.
I had to fix bunch of problems in unit tests that got uncovered because
new function behaves in a more strict way (returns NULL when there is
no parent of correct type).
should use "(interface)" syntax to the right of "->" in NAT rules.
This now works for all interfaces, including those that have ip
addresses in fwbuilder configuration, when interface object appears in
"Translated Source" in a nat rule. When firewall object appears in
"Translated Source", it gets replaced with a set of its interfaces
which also get translated into "-> (interface)".
single object negation in "Inbound Interface" and "Outbound
Interface" columns in compiler for iptables.
* NATCompiler_pf.cpp (compile): see #2456 Added support for single
object negation in "Interface" rule element of PF NAT rules. Now
compiler can produce PF commands such as "nat on ! em0 ... " (for
PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)
* Compiler.cpp (singleObjectNegation::processNext): moved rule
processor that processes single object negation in any rule
element to the base class Compiler.
When branching rule points to a rule set that has rules with Tag and
Classify options, branching should occur in mangle table even when
checkbox "create branch in mangle table" is not checked. The fix in
this change is tentative as it creates branch in chains PREROUTING,
POSTROUTING and OUTPUT. Since target CLASSIFY is only allowed in
POSTROUTING, this may create conflict. Need to test more.
should be done in PREROUTING so it can be acted on later". If a
rule has both tagging and classification options, the rule should
be split so that iptables command doing tagging goes in PREROUTING
and rule doing classification goes into POSTROUTING chain.
;
